Lab: From Azure Arc to Cloud C2

Overview

This lab deploys detection capabilities for a complete attack chain:

1. Entry: Azure Arc identity takeover (CVE-2026-26117) — a low-privilege user hijacks the machine’s cloud identity
2. Defense Evasion: Monitoring agent removal via the Azure management plane
3. Credential Access: Key Vault secret harvesting (Storm-0501 pattern)
4. Command & Control: Azure Blob Storage as C2 dead-drop (SpecterOps azureBlob pattern)

Prerequisites

• Azure subscription with Microsoft Sentinel enabled on a Log Analytics workspace
• PowerShell 7.0+ with Azure CLI installed and authenticated
• Roles: Contributor (Bicep deployment), Microsoft Sentinel Contributor (rules + workbook)

Quick Start

# Deploy infrastructure + rules + workbook
./labs/arc-cloud-c2/scripts/Deploy-Lab.ps1 \
    -ResourceGroup "arc-c2-lab-rg" \
    -SentinelResourceGroup "rg-sentinel-lab" \
    -WorkspaceName "law-sentinel-lab"

# Simulate C2 traffic
./labs/arc-cloud-c2/scripts/Test-C2Simulation.ps1 \
    -StorageAccountName "<from deploy output>" \
    -ResourceGroup "arc-c2-lab-rg"

What Gets Deployed

Cost Estimate

• Storage + Key Vault: < $2/month
• Diagnostic logs: ~$2.76/GB ingestion
• Total: < $5/month for lab workloads

Cleanup

az group delete --name arc-c2-lab-rg --yes --no-wait
# Analytics rules and workbook: delete from Sentinel portal

Links

• Blog post: From Azure Arc to Cloud C2
• GitHub: j-dahl7/arc-cloud-c2-sentinel
• CVE-2026-26117: MSRC Advisory
• Cymulate Research: Azure Arc LPE & Cloud Identity Takeover
• SpecterOps azureBlob: Weaponizing Whitelists