Az - Service Bus Post Exploitation

Reading time: 6 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Service Bus

For more information check:

Az - Service Bus

Actions: `Microsoft.ServiceBus/namespaces/Delete`

An attacker with this permission can delete an entire Azure Service Bus namespace. This action removes the namespace and all associated resources, including queues, topics, subscriptions, and their messages, causing widespread disruption and permanent data loss across all dependent systems and workflows.

bash

az servicebus namespace delete --resource-group <ResourceGroupName> --name <NamespaceName>

Actions: `Microsoft.ServiceBus/namespaces/topics/Delete`

An attacker with this permission can delete an Azure Service Bus topic. This action removes the topic and all its associated subscriptions and messages, potentially causing loss of critical data and disrupting systems and workflows relying on the topic.

bash

az servicebus topic delete --resource-group <ResourceGroupName> --namespace-name <NamespaceName> --name <TopicName>

Actions: `Microsoft.ServiceBus/namespaces/queues/Delete`

An attacker with this permission can delete an Azure Service Bus queue. This action removes the queue and all the messages within it, potentially causing loss of critical data and disrupting systems and workflows dependent on the queue.

bash

az servicebus queue delete --resource-group <ResourceGroupName> --namespace-name <NamespaceName> --name <QueueName>

Actions: `Microsoft.ServiceBus/namespaces/topics/subscriptions/Delete`

An attacker with this permission can delete an Azure Service Bus subscription. This action removes the subscription and all its associated messages, potentially disrupting workflows, data processing, and system operations relying on the subscription.

bash

az servicebus topic subscription delete --resource-group <ResourceGroupName> --namespace-name <NamespaceName> --topic-name <TopicName> --name <SubscriptionName>

Actions: `Microsoft.ServiceBus/namespaces/write` & `Microsoft.ServiceBus/namespaces/read`

An attacker with permissions to create or modify Azure Service Bus namespaces can exploit this to disrupt operations, deploy unauthorized resources, or expose sensitive data. They can alter critical configurations such as enabling public network access, downgrading encryption settings, or changing SKUs to degrade performance or increase costs. Additionally, they could disable local authentication, manipulate replica locations, or adjust TLS versions to weaken security controls, making namespace misconfiguration a significant post-exploitation risk.

bash

az servicebus namespace create --resource-group <ResourceGroupName> --name <NamespaceName> --location <Location>
az servicebus namespace update --resource-group <ResourceGroupName> --name <NamespaceName> --tags <Key=Value>

Actions: `Microsoft.ServiceBus/namespaces/queues/write` (`Microsoft.ServiceBus/namespaces/queues/read`)

An attacker with permissions to create or modify Azure Service Bus queues (to modiffy the queue you will also need the Action:Microsoft.ServiceBus/namespaces/queues/read) can exploit this to intercept data, disrupt workflows, or enable unauthorized access. They can alter critical configurations such as forwarding messages to malicious endpoints, adjusting message TTL to retain or delete data improperly, or enabling dead-lettering to interfere with error handling. Additionally, they could manipulate queue sizes, lock durations, or statuses to disrupt service functionality or evade detection, making this a significant post-exploitation risk.

bash

az servicebus queue create --resource-group <ResourceGroupName> --namespace-name <NamespaceName> --name <QueueName>
az servicebus queue update --resource-group <ResourceGroupName> --namespace-name <NamespaceName> --name <QueueName>

Actions: `Microsoft.ServiceBus/namespaces/topics/write` (`Microsoft.ServiceBus/namespaces/topics/read`)

An attacker with permissions to create or modify topics (to modiffy the topic you will also need the Action:Microsoft.ServiceBus/namespaces/topics/read) within an Azure Service Bus namespace can exploit this to disrupt message workflows, expose sensitive data, or enable unauthorized actions. Using commands like az servicebus topic update, they can manipulate configurations such as enabling partitioning for scalability misuse, altering TTL settings to retain or discard messages improperly, or disabling duplicate detection to bypass controls. Additionally, they could adjust topic size limits, change status to disrupt availability, or configure express topics to temporarily store intercepted messages, making topic management a critical focus for post-exploitation mitigation.

bash

az servicebus topic create --resource-group <ResourceGroupName> --namespace-name <NamespaceName> --name <TopicName>
az servicebus topic update --resource-group <ResourceGroupName> --namespace-name <NamespaceName> --name <TopicName>

Actions: `Microsoft.ServiceBus/namespaces/topics/subscriptions/write` (`Microsoft.ServiceBus/namespaces/topics/subscriptions/read`)

An attacker with permissions to create or modify subscriptions (to modiffy the subscription you will also need the Action: Microsoft.ServiceBus/namespaces/topics/subscriptions/read) within an Azure Service Bus topic can exploit this to intercept, reroute, or disrupt message workflows. Using commands like az servicebus topic subscription update, they can manipulate configurations such as enabling dead lettering to divert messages, forwarding messages to unauthorized endpoints, or modifying TTL and lock duration to retain or interfere with message delivery. Additionally, they can alter status or max delivery count settings to disrupt operations or evade detection, making subscription control a critical aspect of post-exploitation scenarios.

bash

az servicebus topic subscription create --resource-group <ResourceGroupName> --namespace-name <NamespaceName> --topic-name <TopicName> --name <SubscriptionName>
az servicebus topic subscription update --resource-group <ResourceGroupName> --namespace-name <NamespaceName> --topic-name <TopicName> --name <SubscriptionName>

Actions: `AuthorizationRules` Send & Recive Messages

Take a look here:

Az - Queue Storage Privesc

References

https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues
https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api
https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes
https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-python-how-to-use-topics-subscriptions?tabs=passwordless
https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/integration#microsoftservicebus
https://learn.microsoft.com/en-us/cli/azure/servicebus/namespace?view=azure-cli-latest
https://learn.microsoft.com/en-us/cli/azure/servicebus/queue?view=azure-cli-latest

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

HackTricks Cloud