Bridge to Nowhere Good: When Azure Relay becomes a Red Teamer's highway

Be aware: Microsofts azbridge tools is an attackers dream.

Description

We have exposed critical offensive capabilities in the `azbridge` tool, which has been available in Microsoft Azure's GitHub repository since 2018. This tool is a legitimate utility connecting network-isolated assets. Our research demonstrates how an attacker can weaponize this tool using its default configuration.

`azbridge` supports attackers in establishing covert C2 channels, exfiltrating data, and enabling lateral movement while evading scrutiny by perimeter defenses. It leverages back-end services that serve Azure Relay endpoints (`*.servicebus.windows.net`) and encapsulates malicious traffic in TLS-encrypted connections to `*.cloudapp.azure.com` endpoints, defeating egress filtering and proxy inspection.

We demonstrate how attackers can use it to maintain persistent network access, bypass network security controls, and conduct post-exploitation using Microsoft's tool. More sophisticated adversaries can re-implement the functionality of this tool in their tradecraft (e.g., implants). For our defensive side friends, we provide initial recommendations on recognizing these techniques to defend against adversaries exploiting legitimate infrastructure.

While not a 0-day, as of 03/14/2025, there are no reports of adversaries using `azbridge,` and no researchers have reported this tool’s potential for abuse. Therefore, we believe it is a novel use case or at least one that has not been publicly discussed.

Why the committee chose this talk

Seeing overground tools abused for attacks in modern cloud environments sharpens the view of defenders.