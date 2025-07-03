My research into Microsoft Azure Arc began during a recent red team operation where we stumbled across a PowerShell script containing a hardcoded Service Principal secret that was responsible for deploying Arc to on-premises systems. I didn’t know much about the service, so I started doing some research to determine what we could do with the recovered credentials. We ended up being able to use techniques documented in prior research on this topic to gain code execution on a domain controller and pivot back up into Microsoft Azure, but this got me thinking about some broader questions related to Arc: How do you identify it in environments? What (mis)configurations could exist that would allow for escalation? What other code execution vectors exist within it? Could it be used as an out-of-band persistence mechanism?
So, what is Azure Arc? At a high level, it extends Azure-native management capabilities to a variety of non-Azure resources such as on-premises systems, Kubernetes clusters and VCenter deployments—allowing these systems to be managed through Azure Resource Manager in the same way an Azure-native host would be. Once the Arc agent is deployed to a host, it registers the underlying resource in Azure and exposes a suite of management features: monitoring, policy enforcement, update management, etc. However, of most interest to me was the ability to use it to remotely download files and run commands from a trusted process in the context of NT_AUTHORITY\SYSTEM. While some of the functionality of Arc has overlaps with Intune, Arc is purpose-built for managing infrastructure and servers, not endpoint or mobile devices.
Arc isn’t super new (it originally was released in 2019), and other prior research has outlined how it can be used to execute code and persist in environments. Moreover, existing research on attacking Azure Virtual Machines (VMs) has significant overlaps with Arc, as on-premises systems configured with Arc can be managed in Azure much like an Azure-native VM. With this blog, I’m hoping to provide a bit more context by focusing on areas not as thoroughly explored in existing research, as well as outlining offensive usage of the platform within a typical red teaming workflow and providing accompanying defensive guidance for Azure Arc deployments.
Before getting into the weeds on attacking Arc, I set it up in a test tenant to get a better understanding of how the service works and what the deployment process looks like. As Arc is an Azure service, it requires a subscription and downstream resource group to attach managed resources to; access is also subsequently managed through Azure role-based access control (RBAC) roles assigned on these scopes. If you’re looking to set this up in your own lab, one additional note—you’ll need to register with the following resource providers on your subscription under Subscriptions -> (your subscription) -> Settings -> Resource Providers:
Once these prerequisites have been met, an account with appropriate roles assigned on the subscription associated with Arc can be used to access the service, where you’re met with a general management window.
Because we haven’t yet deployed Arc anywhere, we’ll immediately hop into the Add Resources interface. This menu contains deployment and discovery options for a variety of device types, but of most immediate interest is the Machine functionality that allows us to manage Windows and Linux servers hosted outside of the current Azure tenant. Clicking into this shows a variety of deployment options for a single or multiple host deployment.
Within this interface, Single server and Windows Server with installer options are more suited for one-off deployments, and the AWS / Update Management options focus more on cloud-native devices already managed through Azure or AWS. In this case, we’re most interested in the multiple server deployment option, as this is likely going to be the most common route an IT admin would use in a hybrid enterprise deployment scenario.
Clicking into the multiple server option, the deployment workflow next asks a variety of basic questions regarding the subscription, resource group, and region to attach Arc-managed devices to. Everything is pretty straightforward until the bottom of this page, where we’re prompted for a Service Principal to use for device registration during this deployment. The below block of text essentially just states that you need a Service Principal configured with the Azure Connected Machine Onboarding role to do a deployment, and it also gives you the option to create a new Service Principal with the appropriate role assigned.
In this case, we’ll create a new Service Principal Test_Arc_SP for our deployment.
This creation interface next asks what roles we grant to our new Service Principal. We can select any of the options, including the interestingly named Azure Connected Machine Resource Administrator, without any further context or warnings about the privileges these roles confer.
Finally, we are presented with one of four supported mechanisms to deploy Arc to on-premises hosts, as can be seen in the image below. We’ll be covering each of these in a bit more depth in the Gaining access to Arc section below.
Once Arc is deployed through whatever flavor of installation is chosen and it connects back to Azure, the new client system will show up under Azure Arc -> Azure Arc resources.
When thinking about offensive Arc usage, the first question I found myself asking was, “When I get into a hybrid enterprise environment, what recon can I perform to determine if Arc is in use?” These indicators can largely be broken down into two categories—Azure and on-premises.
Access to Arc is controlled via Azure RBAC, meaning access to the service and even basic visibility into its usage are largely outside of the purview of objects not assigned with any roles in a subscription associated with an Arc deployment. That being said, there are still some indirect methods that can let us determine if Arc is in use and even what systems it is likely installed on that can be identified by an unprivileged Entra user. Walking through the steps of the above deployment process, there are several points at which objects are added or modified within Microsoft Entra that can be observed to determine if Arc is in use within a tenant.
First, when a subscription in an Azure tenant is configured with the Resource Providers necessary for Arc (e.g., Microsoft.HybridCompute), two Service Principals titled Arc Token Service and Arc Public Cloud – Servers will be created. These don’t necessarily mean that Arc has in fact been deployed within an organization, but that at least one subscription in a tenant has been configured in a manner that the service would be supported. An example of this can be seen below in a fresh Azure tenant, before and after configuring the Resource Providers necessary for Arc.
Continuing through the deployment process, a Service Principal is used for joining devices to Arc, as outlined in the deployment process covered in the previous section. This could either be a previously existing Service Principal that manually has had the necessary RBAC roles assigned to it, or an auto-generated Service Principal created through the Arc deployment interface. If an administrator were to create a Service Principal directly through Arc, it is automatically configured with the AzureArcSPN tag by Azure, which is searchable by an unprivileged Entra user either directly from the Azure command line or from within collection results from ROADrecon and AzureHound. While again not providing concrete evidence that Arc has in fact been deployed, a Service Principal configured in this manner would show that an administrator in this tenant had at least interacted with the steps of the Arc deployment process. An example of creating a Service Principal through Arc, as well as the resulting identifiable tag data collected by ROADrecon, can be seen below.
Finally, when a system is onboarded onto Arc, a Managed Identity is created within Entra for the machine and can be granted roles both in Entra and Azure like any other Service Principal. Since this managed identity is present within Entra, by default, a non-privileged principal can enumerate systems onboarded into Arc by filtering collected Azure recon data to search for devices with a ResourceID containing Microsoft.HybridCompute (note that this is different than a hybrid-joined device within Entra and shouldn’t yield any false positives). If you have access to the Azure command line, this process is pretty straightforward, using the following command:
This long ResourceID string also has the added benefit of containing the subscription ID and resource group the system is associated with, allowing for identification of multiple Arc deployments spanning different environments.
Alternatively, if you’ve collected Azure data via ROADrecon or AzureHound, you can parse those results to identify Arc-managed objects. Within ROADrecon, the pertinent information is stored within the ResourceID, and within AzureHound JSON collection files, the same information is stored within the AlternativeNames attribute. While it does not appear that this attribute is copied into BloodHound or is otherwise not directly accessible, directly searching the JSON file can allow for recovery of a complete list of managed objects.
On-premises indicators of Arc deployment fall into one of two categories: localhost and network. When the Arc client is installed on a system, it will create the C:\Program Files\AzureConnectedMachineAgent folder, which contains all pertinent files related to the Arc client. The presence of this folder, as well as Arc-related processes and services (e.g., gc_arc_service.exe or arcproxy.exe), can provide some straightforward things to check for. Additionally, based on the deployment mechanism used to push the Arc client to systems on the network, there may be some additional things that could be searched for. For example, if Arc is deployed via GPO, the setup process creates an auto-generated GPO named [MSFT] Azure Arc Servers Onboarding(DateTimeOfGPOCreation).
So, if we’ve identified that Arc is in use in an environment, how do we gain access to it? To answer that question, it’s important to first understand what specifically constitutes access that we would be interested in. As the primary end-goal of access would typically be to execute code on a managed endpoint, working backwards from permissions that allow for code execution to the Azure roles that grant those permissions can provide a pretty good starting point for accounts and roles we may be interested in. Looking back at prior research from Benedikt Strobl at NSIDE Attack Logic, we see that we can run a PowerShell query that will get all roles granting permissions that enable at least one mechanism of code execution through Arc (more to come on the specifics of these mechanisms in the next section). The query and resulting output can be seen below:
Other than a few odd roles that stick out, such as Log Analytics Contributor, one of the most interesting is the Azure Connected Machine Resource Administrator role. If you recall from the prior Azure Arc deployment process section, this was one of the roles that was assignable to the Service Principal created during the Arc deployment process.
This essentially puts the deployment Service Principal, which by necessity will likely have its secret accessible on the on-premises network, a single checkbox (a checkbox that has no warning or additional context on risk) away from being an admin within Arc. A Service Principal with this administrative role inadvertently assigned during creation could not only be used to register new Arc clients within Azure but also run commands on any installed Arc client. It was this understandable oversight that we identified and took advantage of during our recent assessment, allowing us to escalate privileges through Arc and take over the client’s on-premises environment.
This deployment Service Principal seems to be a pretty good initial target, especially if you don’t have the privileges necessary to grab listings of other accounts with the other noted roles granting code execution assigned to them. But how would you go about trying to gain access to it? First, and probably most directly, if you have a path within Entra to gain access to a Service Principal associated with Arc via adding a secret to it, (e.g., owner of the Service Principal, Application Administrator, etc.) you could directly modify the object and then use it to authenticate, potentially allowing you to gain privileged access to Arc. Beyond this, the deployment mechanisms that Arc uses can also be misconfigured or otherwise allow for escalation via recovery of the deployment Service Principal secret. We’ll next take a look at each of the four primary enterprise deployment mechanisms supported by Arc to identify potential escalation paths to check for.
The default and most basic deployment method for Arc is via downloading an auto-generated PowerShell script that an IT admin can run across multiple systems. This script pulls the pertinent MSI installer from Microsoft’s website and subsequently performs the follow-up configuration to connect the installed client to the correct Azure tenant. Somewhat hilariously, the supported default authentication mechanism within this auto-generated script is to hardcode the secret of the Service Principal that is being used for deployment into the script.
As this deployment mechanism is so straightforward, there isn’t really much to go into on gaining access outside of keeping an eye out during normal file share recon for PowerShell scripts with the default script name of OnboardingScript.ps1, as well as scripts with names or content related to Arc.
Selecting Configuration Manager for deployment generates a PowerShell script identical to the one above, with the main difference being that Arc provides additional guidance on how to deploy the script directly through Microsoft’s System Center Configuration Manager (SCCM), either via a direct script run or as a task sequence.
Although these are the two recommended mechanisms for deployment, an IT admin may alternatively use some other deployment mechanism through SCCM, such as a package or application installation. Regardless of the deployment option in use, it’s important to keep in mind the concept of collections within SCCM, which serve as the target scope for the deployment of task sequences and (optionally) scripts. Attempting to recover SCCM data from a random host in the environment likely won’t yield great results because if the host isn’t a member of the appropriate collection, it will not be able to retrieve pertinent information in most cases. Instead, first moving laterally to a host that has been identified as being an Arc client (or even better, an SCCM Management Point or database server) and then performing SCCM recon will likely have better results.
The SCCM Configuration Manager contains functionality that allows admins to run PowerShell scripts on managed systems. Scripts aren’t pulled by the SCCM client in the same way as task sequences or packages; rather, they are pushed out from the server on demand to client systems. To test this out, we can build out a simple script in the SCCM Configuration Manager using the auto-generated Arc deployment script. We’ll leave the secret unfilled for now, as the system we are deploying to already has Arc installed on it.
When the script is deployed through SCCM, it will be copied into the C:\Windows\CCM\ScriptStore directory on the client system and configured with a discretionary access control list (DACL) that restricts access to only NT_AUTHORITY\SYSTEM, prior to being run by the SCCM client. Files in this folder are periodically cleaned up based on instance-specific configurations, but it’s definitely worth checking for this or other scripts that may contain sensitive data.
Alternatively, if you gain access to the SCCM database, you can directly recover all scripts created in SCCM using the ScriptData module in SQLRecon. An example of the output from running that module against the site database for an SCCM instance configured with a script to deploy Arc can be seen below.
Realistically, deployment via SCCM script probably isn’t super likely in practice, as SCCM script execution is a manual, point-in-time process. If new servers get brought online and need to be added to Arc at any point in the future, an admin would need to remember to go in again and re-run the script to apply it to additional systems.
A more automated and scalable deployment process would be through a task sequence applied to an SCCM collection. To test this mechanism, we can create a simple task sequence that runs the Arc deployment script and deploy it to an SCCM collection containing a system we’re running from.
After deploying this script, we can run the get secrets command in SharpSCCM to recover accessible task sequences containing scripts, as policies containing scripts have the secret flag appended to them.
The SourceScript property within the pertinent policy contains a b64 representation of the original script being passed in. Converting it back to plaintext allows us to recover the original script.
Similarly to options available when recovering a script, if we have access to the SCCM site database, we can also just directly recover task sequence data using SQLRecon.
Arc deployment via Group Policy is a bit more complicated than the two prior mechanisms and consists of multiple steps that begin with setting up a network share that the script, run via Group Policy Object (GPO), can point to. The official guidance helpfully states that all domain computers should have read + write access to this share, meaning that if this deployment mechanism is in use, the Service Principal secret should be recoverable from any NT_AUTHORITY\SYSTEM context in the domain.
After setting up the share and downloading + copying over the Arc client MSI, the next step involves downloading a GitHub repo containing PowerShell scripts and associated DLLs that are used to automatically create the GPO.
Finally, a PowerShell script that calls the files downloaded from GitHub is generated, with arguments based on the location of the previously set up Arc deployment share.
Running this resulting PowerShell script will cause a GPO to be created, which creates a scheduled task that installs the Arc client using the files hosted on the deployment network share and connects it to Azure. This GPO can subsequently be linked to an Organizational Unit (OU) containing systems to deploy Arc on.
If a GPO matching this naming convention is identified during standard Active Directory reconnaissance, GPO files can be reviewed to determine the location of the network share containing the deployment files.
With some sort of access in the context of NT_AUTHORITY\SYSTEM, this share can be remotely browsed to (if created with the default / MS-recommended access), which will look like the following:
Of most interest is the extremely conspicuously named encryptedServicePrincipalSecret file. Taking a look at the EnableAzureArc.ps1 script shows that this secret is a blob encrypted using DPAPI-NG.
DPAPI-NG (or Cryptographic Next Generation [CNG] DPAPI) allows not only for user- or machine-specific DPAPI encryption and decryption functionality but also allows for operations based on the memberships of an object. For example, in this instance, the DPAPI-NG blob within encryptedServicePrincipalSecret is configured to allow any member of the domain computers group to decrypt it. I threw together a super simple PowerShell script as a proof of concept, but it should be quite straightforward to translate the code from AzureArcDeployment.psm1 (which itself is just a wrapper around .NET code) into an assembly that can be ran in-memory on a beacon in the context of NT_AUTHORITY\SYSTEM to recover and decrypt the secret.
Finally, all other pertinent connection info, such as the Service Principal ID, Subscription ID, etc., can be found in the ArcInfo.json file also located in the same deployment share.
The final official deployment option generates an Ansible playbook very similar to the PowerShell scripts covered above. Specifics of attacking Ansible will vary quite a bit based on the setup and environment, and as a result, we won’t expand further on this deployment mechanism.
While Arc supports management of Linux hosts, deployment methods available directly in the Arc blade in Azure skew heavily towards Windows-based devices. Linux deployments are supported through the usage of a bash script, but similarly to Ansible deployments, they will likely have a much higher degree of variation in them when applied across an enterprise environment.
Moving forward, let’s assume we’ve successfully recovered the secret for a Service Principal, and that this Service Principal (or another recovered account) has execution privileges within Arc. As the whole purpose of Arc is to expose on-premises devices to the Azure control plane, a variety of code execution primitives typically associated with Azure VMs come into scope for gaining access to on-premises hosts that have the Arc client installed on them. However, staying focused on execution avenues that only require the above-noted Arc-specific permissions gives two broad categories of execution actions—run commands and extension additions/modifications. Both execution vectors function pretty much identically to an equivalent execution against an Azure VM and have been documented at length by others in prior blogs/tooling, so we won’t get too deep into specifics on them beyond operational usage and some neat quirks that aren’t as widely documented.
The run command is a sort of pseudo-extension that shares many of the on-disk characteristics and execution tree specifics with other extensions but is automatically installed alongside Arc and does not show up in the installed extension list of a managed system. This capability allows for a straightforward way to run commands on a client managed through Arc, with the main prerequisite being that the client version must be >= 1.33. You can verify this with the az connectedmachine show command, as shown below.
Note that attempting to run a command through the az commandline (CLI) requires not only the previously noted write permissions but also read privileges on the resource group, which by default an auto-generated Service Principal won’t have. As a result, attempting to run a command directly from the az CLI results in an error.
This can be bypassed by interacting with the Azure REST API directly, although it won’t be possible to retrieve output from executed commands. In this example, we’ll create a run job named run-notepad that just starts notepad.exe on the client system.
The command that is passed in is written to a PowerShell script in C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\[version]\Downloads folder, with a name corresponding to the name of the run job as created within Arc and ultimately run in the context of NT_AUTHORITY\SYSTEM.
This PowerShell script isn’t automatically deleted at the conclusion of execution, although additional executions of a run job with the same name will cause the original script to be deleted and a new one created with an iterated suffix, as seen below.
In addition to this script, several other files are created on disk during each run command execution. These will be covered in greater depth in the Defensive guidance section.
Additionally, keep in mind that a run command creates an object within Azure that needs to subsequently be deleted once execution has completed. As this action doesn’t read at the resource group level, it can be run directly through the az CLI.
Arc clients can have their functionality augmented through the installation of a variety of Microsoft-approved extensions, similarly to Azure VMs. The most often abused extension is the Custom Script Extension (CSE) for Windows, which allows for both the execution of arbitrary commands and the downloading of files from the internet. However, other extensions offer different execution trees that may help evade a static detection focused on the execution of a CSE. We’ll next take a look at both execution via a CSE, as well as the Windows Admin Center extension.
Assuming you’re running in the context of a Service Principal provisioned with the Azure Connected Machine Resource Administrator role in a subscription with default settings, you’ll once again need to send commands through Azure’s REST API. Prior to execution, one caveat of extension-based execution is that only a single copy of an extension can be deployed to a host at any given time, meaning that if a CSE has already been added to the targeted host, you would need to update the existing extension, instead of creating a new extension. The list of currently installed extensions on a host can be retrieved from the az CLI with the following:
In this instance there are no extensions yet installed on this host:
A bunch of args are required when creating a CSE, the most important of which is the protectedSettings arg, as it contains an optional commandToExecute attribute. Fittingly, this attribute is where command execution args are placed. An example az CLI command that can be run against the REST API to create a CSE that launches Notepad can be seen below:
Running this once again results in an execution in the context of NT_AUTHORITY\SYSTEM.
Once a CSE has been created, you can also further check in on its current status via the REST API, using a command formatted as follows:
Through running this, we can see that the CSE deployment remains in an executing state until the process it launched is terminated on the client system.
It’s important to keep this behavior in mind as extensions can’t be force-stopped, even by attempting to delete the CSE. This means if you launch a CSE that spawns a long-running process that doesn’t grant you access to the system, and you don’t have another mechanism (such as run commands) that allows you to kill the process, you could potentially lock yourself out of further CSE executions until the box reboots. Additionally, if you are using a CSE as a mechanism to deploy a C2 beacon, it’s recommended to migrate out of the originating process so you can clean up the CSE object.
Moving on, let’s say we want to do something a bit more advanced with our CSE execution than just run Notepad. Several options exist for updating our current CSE, and we can either update in place or remove the CSE extension and redeploy. Updating in place is simpler but relies on the prior CSE execution being in some form of a completed state (e.g., succeeded, failed) prior to running. To update an already-existing CSE, you can simply modify and resubmit the original command you passed to the REST API to create it, changing the commandToExecute attribute value to whatever your updated command is. This has the added benefit of maintaining the CSE folder structure on the client system between executions.
I’ve found that in some cases, the CSE can get hung in a Creating state, even when the process it has executed is no longer running on the client system. The best way I’ve found to identify this state is by checking the extension list on the affected host, which will predictably show the host in a provisioningState of Creating, but if a process is actually still executing through the host, you’ll also note a status message showing that execution is occurring.
If you find your CSE in this “Creating, but not actually running” state, the best approach is to delete it entirely (if you’re sure the process you executed with it is no longer running), which can be accomplished with the following command:
Attempting to delete a CSE when the underlying executable is still running (e.g., an https beacon running as NT_AUTHORITY\SYSTEM that can’t egress due to proxy controls) will not cause the process to exit, nor will it cause the CSE to delete itself. Instead, it can result in the CSE extension getting stuck in a Deleting state indefinitely, with the only full remediation I identified being to delete the Hybrid Identity parent object from Azure, uninstall the Arc client from the managed system and reinstall everything. It sounds scary, but once I figured this out, it was like a five-minute process to get everything up and running again.
One other thing to keep in mind regarding deleting CSEs: the deletion process removes the C:\Packages\Plugins\Microsoft.Compute.CustomScriptExtension folder from the disk of the client system, wiping any files you may have uploaded or modified in that structure. Furthermore, it does take three to five minutes to process the CSE delete command in Azure; this is normal.
One of the interesting things that a CSE can do in addition to executing commands is downloading files from the Internet. An array of files can be specified under the settings arg in the fileUris attrib, which allows for the download of files to the C:\Packages\Plugins\Microsoft.Compute.CustomScriptExtension\[version]\Downloads\[iterator] folder. This folder structure persists until the CSE is deleted within Azure, at which point everything related to the CSE extension is deleted from disk. This means that you could create a script that would copy files out of this folder to elsewhere on disk, allowing for a mechanism for smuggling files that doesn’t rely on a traditional web download cradle. As these files persist once they are moved outside of the default directory, they could be copied and then run with a subsequent CSE from elsewhere on disk, breaking a static detection dependent on identifying executions from the previously noted CSE downloads folder.
When creating more advanced logic like this, which may or may not succeed, it is also helpful to be able to retrieve output that indicates if an execution was successful or not. While we’re not able to directly recover output from CSE executions, exit codes are returned, meaning that we can include conditional branching in our code that exits with a specific code based on the current state of the program (e.g., successful file copy). Putting these pieces together, let’s stage a super contrived demo that does the following:
A simple PowerShell script that accomplishes these things would look something like:
When formatting this with all necessary escapes to allow for this script to be passed in a JSON blob via the az REST API, we get a command that looks like the following:
We run the above, and after waiting a minute for execution to complete, we can check its status with the az connectedmachine extension list command. Running this shows that we got an exit code 10 back, indicating successful execution. The error message is a generic message indicating a non-zero return code, which doesn’t concern us.
Checking the remote system, we can also verify that the files have been successfully copied over.
As we can see, this code starts getting complicated quite quickly. To streamline things further, it would also be possible to download a PowerShell script by adding it to the fileUris array and then calling it from the commandToExecute attribute.
Before we move on, let me share one last idea on how you could increase the stealth of this technique by changing its execution fingerprint. If you recall from our initial process launch via CSE, cmd.exe appeared at the top of the execution tree, with no readily visible parent process.
Taking a look at this top-most cmd.exe process shows a non-existent parent Process ID (PID) of 5068.
We can dig in a bit further with Process Monitor, showing our mystery Parent Process ID (PPID) of 5068 was yet another instance of cmd.exe, which created our current process tree through a cmd /c call. This mystery cmd process was itself spawned by gc_extension_service.exe in PID 3588 through running the enable.cmd script.
Why does any of this matter? Well, currently, we have a fairly static execution tree from gc_extension_service -> cmd.exe -> cmd.exe -> CustomScriptHandler.exe -> cmd.exe -> [whatever we run via CSE]. If we could insert ourselves higher up in that chain, we could bypass detections focusing on suspicious executions that come from that well-known process tree structure. As this .cmd file is just an unsigned script being run by NT_AUTHORITY\SYSTEM out of a known location as a result of an event that we control (creating or modifying a CSE), it would be possible to modify this script to redirect the standard execution flow to directly call a process of our choosing. Assuming our only execution vector on the host is through Arc, it does present a bit of a chicken-and-egg problem, though, as we would need to execute through a known process tree to modify this file. However, performing text modifications on an unsigned file has a much lower detectability profile when compared to other typical post-exploitation actions. I won’t go into further specifics on this modification (or other similar modifications that could be made to other extensions), but just an idea of something neat you could do.
Up until this point, we’ve focused on attacks that are possible using the non-interactive REST API from the standpoint of an overprovisioned Service Principal configured with the Azure Connected Machine Resource Administrator role. However, if we have an account that has web Graphical User Interface (GUI) access, the scope of what can be done increases substantially. There are a variety of extensions that can be pushed to managed clients and open new avenues of code execution, but when I was poking around within Arc, one that ended up being of the most interest to me was the Windows Admin Center (WAC). Arc can deploy the back-end management component of the Windows Admin Center—a standalone remote management tool released by Microsoft—via an Arc extension. It’s not possible to directly interact with this extension via the Azure REST API to my knowledge, but a variety of system management options are exposed via the GUI once deployed to a client.
Once the WAC (lol) extension has been installed on an Arc-managed system, it can be accessed directly via the Arc portal by browsing into the managed device, assuming you have the appropriate role assigned (or can assign it to yourself).
With appropriate access configured, you can connect to the management interface and execute code through a variety of different mechanisms, including process creation, scheduled task creation/modification, service modification and registry modification. I’ll avoid going into the specifics of each of these, but will quickly discuss process creation as an example demonstrating some of the quirks of executing through WAC.
Process creation is probably the most straightforward way to run code via WAC, simply enter a process to start (with optional args) and click go.
Interestingly, this runs in the context of a virtual account (WAC_[your azure username]), but in a high-integrity context with full token privileges, as can be seen by piping out a whoami /priv to a text file on disk.
The process itself spawns as a child of WmiPrvSe.exe, a familiar process tree for those familiar with lateral movement via Process.Create. When a command is run in this way, the virtual account has a user folder created for it on disk, leaving behind even more IOCs that must be cleaned up. It sure is easy to use, though!
In addition to these code execution vectors, there are various other management features such as graphical file and file share browsing, a must-have feature for your very own enterprise-grade C2.
WAC also has a VM control panel, which allows for the installation of Hyper-V on the managed system, and subsequently for the deployment and management of VMs.
This feature initially looked super promising, but I ran into issues first when trying to figure out how to deploy an ISO file to the host. The file browser within WAC has built-in upload functionality, but unfortunately has quite a low cap on upload size. This meant a fallback mechanism would need to be implemented to get a suitable ISO on the system in order to build a VM. Subsequent issues were found that would also likely present themselves in an enterprise environment regarding nested virtualization. As many systems in an enterprise environment are typically virtualized, Intel VT-x / AMD-V would need to be enabled on the system to allow for nested virtualization.
Finally, with all these available management features, there is no shortage of interesting attacks you could perform via file replacement or modification to hijack things Arc / WAC are doing in the background to further mask any post-exploitation actions. Remember, this is just one of many available extensions available to deploy to Arc-managed clients; similar code execution vectors undoubtedly exist in others that may offer further functionality.
Note that WAC performs its own standalone installations and thus significantly expands the on-disk footprint and cleanup requirements associated with a compromise. Additionally, actions that run in the context of a WAC_ account will result in additional on-disk actions such as a user folder being created, although no local user profile is generated for the account. That being said, while this serves as a cool avenue that opens up a bunch of code execution vectors, it may be something I skip on a mission-critical server.
Let's say you recovered a Service Principal secret, but it has been properly provisioned to only allow for the onboarding of systems. It may still be worthwhile to attempt to onboard a system you control to see if any automated installations or configurations containing additional credential material are pushed downstream to your system.
This is a topic that I hadn’t seen much mention of until Andy Gill’s recent blog on using Arc as a C2 mechanism. Arc is great in that it is a legitimate Microsoft product and communicates directly back with well-known API endpoints within Azure, meaning it is typically overlooked by Endpoint Detection and Response (EDR) products. While I’m not recommending trying to operate through Arc, it serves as an interesting out-of-band mechanism for fallback persistence within an environment. Even if a host is hybrid-joined to an Entra environment, there is no requirement that it connects to an Arc instance hosted in the same tenant. Really, what this means is that if you have a high-integrity context on a host that is not already managed via Arc, you can deploy your own Arc client and manage it through your own Azure tenant.
As Andy’s blog does a great job of detailing the overall usage of Arc for persistence, I’ll only add a small point for operationalization when GUI-based access is not possible (such as what would be typical when operating through a C2 agent). Reviewing deployment scripts, the Arc client install process largely consists of two parts: installation of the actual client via an MSI installer, and connecting the installed client to an Azure tenant via command-line args passed to the Arc Connected Machine Agent (C:\Program Files\AzureConnectedMachineAgent\azcmagent.exe). Both steps in this process can be completed either locally or remotely (using your preferred lateral movement code execution avenue) from a non-interactive command-line context, using the rough syntax of:
1.
2.
Once connected, the system will show up within the Arc blade in your Azure tenant, and you can use the az CLI, az REST API, or GUI to perform actions on it. Now that the Arc client is connected to a tenant you have full control over, there is also a wider array of options available for subsequent code execution that extend beyond the scope of what has been covered in this blog.
One additional point on deploying Arc: unfortunately, you cannot connect “over the top” of another Arc setup without first disconnecting the existing Arc connection—an operation which requires the Azure Connected Machine Resource Administrator role. You could probably get around this by completely uninstalling and then reinstalling the Arc client, but that wouldn’t be my first option for execution or persistence. Really, what this means is that if a system already has Arc installed on it, you should focus on gaining access to it through the existing connection, instead of trying to set up a connection to your own tenant on it.
Note: This list is not meant to contain an exhaustive list of all research related to offensive usage of Arc; rather, it contains a listing of articles and talks that helped me gain an understanding of the platform as well as attack vectors available through it.
