RED TEAM SERIES

Red Teaming in the Cloud: Deploying Azure VMs for C2 Infrastructure

A Guide to Deploying Red Team Infrastructure on Azure

Photo by Brian McGowan on Unsplash

Building a robust infrastructure is essential for the success of the red team operation. Cloud platforms provide red teamers with a resilient, scalable, and easy-to-deploy infrastructure that allows them to operate efficiently while minimizing exposure.

In this guide, we will leverage Microsoft Azure Cloud platform to build our C2 infrastructure, which will include setting up a virtual machine as the Command & Control server, installing the Mythic C2 framework, and configuring Azure CDN redirectors to hide the C2 traffic when interacting with the target network.

This guide will be divided into four parts. In Part One, we will cover an overview of the Azure platform and how to create a virtual machine that will serve as the C2 server later.

Table of Contents

• Getting Started with Azure
  – Azure Account Options
  – Azure Subscriptions
• Navigating the Azure Portal
  – Creating Azure Subscriptions
  – Creating Resource Groups
  – Cost Management
• Spinning up Virtual Machine (VM)
• Connecting to the VM
  – Native SSH
  – SSH using Azure CLI
• Resources

Getting Started with Azure

The first step to get started with Azure is to create an account by visiting https://portal.azure.com/. When logging in to the portal for the first time, we’re typically presented with three account options to choose from:

Azure Account Options

• Start with an Azure Free Trial: This subscription offers $200 free credits to spend on Azure services in the first 30 days.
• Manage Microsoft Entra ID: This subscription was previously known as Azure Active Directory (Azure AD). It is an identity and access management (IAM) solution that allows users to manage user identities and control access to their applications, data, and resources.
• Access student benefits: This subscription requires a student email to access developer tools with free Azure credits.

Figure 01 — shows Azure account options.

We will begin with the free service by selecting “Start with an Azure free trial” and upgrade later. The $200 offered for the free trial is more than enough to create the infrastructure needed for this lab series.

To start with the free trial, we need to provide some necessary information, such as an email address and phone number. The phone number is used for account verification purposes.

Additionally, we will need to use a valid credit card to verify our identity. It’s important to note that Azure doesn’t accept virtual or prepaid cards, as it might lead to fraudulent activities and inconsistent billing.

Figure 02 — shows the Payment section to create an Azure account.

After the trial is up, we will be asked to enroll in either one of the below subscriptions to keep using Azure services. There are no automatic charges after the free credits are over.

Azure Subscriptions

• Pay-as-you-go: Allows users to pay for Azure services on a consumption basis. This means you are billed for the resources you use, and there are no upfront costs or termination fees.
• Enterprise Agreement (EA): Allows organizations to commit to a certain amount of spending and receive discounted rates.

Navigating the Azure Portal

After finishing the registration process, we will be redirected to a confirmation page that says, “You’re ready to start with Azure”. When we click “Go to Azure Portal”, we will be presented with the Azure services, as seen in Figure 03.

Figure 03— shows the available Azure Services when logging into the portal.

In order to start using any of the Azure Services, it is necessary to create a subscription, even when using the trial period. This will ensure that after the trial ends, users will be prompted to upgrade to one of the options mentioned in the previous section.

An Azure subscription includes all the resources created and associated with it, such as Virtual Machines (VMs), Content Distribution Networks (CDN), and Active Directory (AD) services. Users can create as many subscriptions as they can afford, but the free trial only allows for one subscription.

Creating Azure Subscriptions

To create a new subscription, navigate to the main dashboard, click on the Subscriptions icon, and provide a name and a tag for the subscription, as seen below.

Tags are like labels that can be attached to any Azure service to help you manage and track resource costs. They are also searchable. While tags are optional, it is generally recommended to use them as it is a good practice.

Figure 04 — shows creating a new subscription with the name Infrastructure.

Once it’s created, we can click on it to view more details, such as the subscription ID, its status (active or disabled), the option to rename it, and the cost associated with the resources under the subscription.

Figure 05 — shows the details of the Infrastructure subscription.

Creating Resource Groups

After setting up the subscription, we create a Resource Group. This group acts as a container for all related Azure resources, such as virtual machines, databases, CDNs, etc.

We can assign any name to the resource group, but it is recommended to use clear and concise names such as project code or name to easily track operational expenses later when billing the client.

To create a new Resource Group, simply click on the “Resource Groups” tab on the main dashboard or side menu and then click on the “Create resource group” button.

In the Project details, we select the subscription that we want to add the resources to and provide a group name such as red-ops. We also need to select the region where the resources will be hosted. If we are setting up a red team operation, it’s advisable to use the same region as the client we are testing for. This way, the traffic generated by our operation blends in with their regular expected traffic.

💡It’s important to note that all the other services we create for this resource group, such as CDNs and VMs, must be in the same region as the resource group.

Figure 06 — shows creating a new resource group.

Next, we add a tag, review the entered information, and click Review + Create.

Figure 07 — shows the creation of a tag for the new resource group.

Cost Management

The billing section in Azure provides detailed information on the usage and costs associated with resources. To track the Azure $200 credit, go to “Cost Management + Billing” and click on “Summary”.

Figure 08— shows the cost summary of the setup services.

Spinning up Virtual Machine (VM)

To create a new virtual machine, go to the main dashboard, click Virtual Machines, and select Azure Virtual Machine. If you’re using the free account, this may apply to your free credits. Be sure to pause your VM when not in use to save money.

Figure 09— shows creating a new Azure virtual machine.

Next, we will need to select the subscription and resource group that we have previously created, “infrastructure” and “red-ops”. In the instance details section, we will specify a name for the virtual machine; I have named it “mythicC2” since it will serve as the host for the Mythic C2 framework.

We will keep the default configuration for the Availability Zone and Security Type, which is Zone 1 and Trusted launch respectively.

Figure 10— shows the VM’s initial configurations.

To select the machine specification, we can choose the Standard option with 8GB of memory; the available options might be different if using the trial version.

As for the Administrator account section, we will need to choose the SSH key for authentication and then create a new SSH key pair that can be used later to access the VM.

Figure 11— shows selecting the VM disk size and authentication option.

All inbound connections are blocked by default, except for port 22 (SSH).

Figure 12— shows port 22 for SSH is allowed by default.

Next, for the OS disk size, we will go with the default option of 30GB, with no encryption, as we don’t need it for the current testing purposes.

If you want to use encryption, you will need to enable the feature on your subscription before you can use it. Here is the link to Microsoft documentation on “encryption at host level” for more information.

Figure 13 — shows the VM disk options.

For the networking interface, we will keep the default configuration that will allow the SSH port to open publicly.

Figure 14 — shows SSH port 22 is open in the Public Inbound ports.

The same applies to the Management section; I kept the default settings. The Management section handles VM configurations, including identity management, backup configuration, and certificate-based authentication.

Figure 15 — shows the management section on the VM configurations.

Also, in the Monitoring section, I didn’t make any changes to the default settings. However, you have the option to customize alert rules to receive notifications for significant events related to your VM.

Additionally, you can use other features such as diagnostics to troubleshoot boot failures, and health monitoring to ensure the infrastructure’s availability and performance.

Figure 16 — shows the Monitoring section of the VM configuration.

The Advanced section offers more comprehensive options and settings that go beyond the basic configurations. It includes Extensions that allow for additional software modules to be added to the VM to provide specific functionalities, and Policies that enforce rules for the VM, such as security policies, resource allocation limits, and guest configuration restrictions.

Since we won’t need to modify this part for our VM, we can proceed to the next section.

Figure 17— shows the Advanced section in the VM configuration.

After adding a tag to the VM, we review the information and click “Review + Create”. We then enter an email and phone number to receive notifications regarding the created resource.

Figure 18 — shows adding email address and phone number before creating the VM.

Lastly, we will be prompted to download the private key to access the machine later after it gets deployed.

Figure 19— shows downloading the SSH private key to access the VM.

As seen below in Figure 21, our machine is deployed and ready to use.

Figure 20— shows the machine was successfully deployed.

Connecting to the VM

After the VM is deployed, we check if the VM is active and click on Connect. If it is not, we start the VM.

Figure 21 — shows the Connect functionality in the deployed VM dashboard.

The Connect dashboard provides options for connecting to the machine depending on the operating system we have for the VM; in our case, we have a Ubuntu machine, and our available options are Native SSH or Azure CLI on the browser.

Figure 22— shows the Connect options available for connection to the VM.

Native SSH

When selecting the Native SSH option, a side pane will display the necessary steps and commands for establishing an SSH connection to the VM. The first step is to ensure that the TCP/22 port is open in the firewall rule, which we have already allowed when creating the VM earlier.

The next step is to change the permissions of the private key file with the command chmod 400. This command sets the file permissions of the private key file to be readable only by the owner.

After that, you can connect to the machine. If you are not familiar with the SSH command, you can simply paste the name of the SSH private key, and it will generate the command required to access the machine.

chmod 400 ~/.ssh/privatekey.pem

ssh -i privatekey.pem azureuser@PublicIP

Figure 23— shows the steps and commands for connecting to the machine via SSH.

As seen below, we were able to SSH to the machine successfully.

Figure 24 — shows SSHing to the VM with the generated private key.

SSH using Azure CLI

The second option uses Azure CLI, a browser-based shell integrated within the Azure portal. It comes pre-installed with Azure CLI and other tools, allowing us to run PowerShell and Bash commands.

When connecting the first time, the validation process may take a few seconds to get everything prepared. Once it’s ready, we will be prompted to confirm that we understand the policy by checking the box and then clicking on Configure and Connect.

Figure 25— shows the steps for connecting to the VM using Azure CLI in the browser.

Then, we will be asked to choose between connecting with a Bash or Powershell shell and to create a new storage. As seen below in Figure 26, I was connected to the VM using the bash terminal.

Figure 26 — shows connecting to the VM using the Azure CLI with the Bash shell.

We have reached the end of today’s post. In this article, we covered the fundamentals of the Microsoft Azure platform and created a virtual machine.

Moving ahead, we will focus on setting up and configuring the Mythic C2 server, which acts as the central management hub for our red team operations, as well as implementing Azure CDN redirectors to mask our C2 traffic and maintain stealth.

Resources

• https://learn.microsoft.com/en-us/azure/virtual-machines/
• https://learn.microsoft.com/en-us/azure/virtual-machines/linux/quick-create-portal?tabs=ubuntu

Red Teaming in the Cloud Series

• Red Teaming in the Cloud: Installing Mythic C2 on Azure VM
• Red Teaming in the Cloud: Deploying Azure VMs for C2 Infrastructure
• Red Teaming in Cloud: Leverage Azure FrontDoor CDN for C2 Redirectors