Unexpected Azure API calls indicating Bastion host modification
Description
AlphaSOC detected modification of an Azure Bastion host via
Microsoft.Network/bastionHosts/write. Azure Bastion provides secure RDP/SSH
access to virtual machines without exposing them to the public internet.
Unexpected modifications to Bastion hosts could indicate an attempt to weaken
access controls or enable unauthorized connectivity.
Impact
Modifying Bastion host configurations can weaken secure access controls to virtual machines. Threat actors may enable shareable links to create persistent access paths, modify network settings to expand access scope, or change authentication requirements. Unauthorized Bastion modifications could facilitate lateral movement within the Azure environment.
Severity
| Severity | Condition |
|---|---|
Low | Bastion host modification detected |
Medium | Anomalous Bastion host modification |
Investigation and Remediation
Review Azure Activity logs for the Microsoft.Network/bastionHosts/write
action. Examine what configuration changes were made and identify the principal
responsible. Compare the current configuration against security baselines to
identify any weakened settings.
If unauthorized, revert the Bastion host to its expected configuration. Review access logs for any suspicious RDP/SSH sessions that may have occurred after the modification. Rotate credentials for the compromised identity.