ProxyBlob is an open-source tool by Quarkslab that creates a SOCKS5 proxy tunnel through Azure Blob Storage. It’s designed for restricted environments where outbound connectivity is limited to trusted cloud services such as *.blob.core.windows.net
A threat operator or pen tester deploys a lightweight agent inside the target network and a proxy on their local machine. They communicate by writing and reading blob, effectively tunnelling TCP and UDP traffic covertly through Azure’s object storage service.
Core Features
- Full SOCKS5 support, including CONNECT, UDP ASSOCIATE, IPv6
- Encrypted data channels using ChaCha20-Poly1305 by default
- Local proxy server, no inbound listener required
- Compatible with Azure Blob and Azurite for local testing
Installation & Setup
On Fedora/Debian:
|
1 2 3 |
git clone https://github.com/quarkslab/proxyblob cd proxyblob make |
This produces two binaries:
proxy: you run this on your local machineagent: you run this inside the restricted environment
Create an Azure storage account or use Azurite locally, then configure:
|
1 2 3 4 5 |
{ "storage_account_name": "yourname", "storage_account_key": "EARLIER_GENERATED_KEY", "storage_url": "http://localhost:10000/" // (omit for real Azure) } |
Real-World Use Cases
1. Red Team Covert Access
During an “assumed breach” assessment, Quarkslab identified outbound Azure Blob access allowed from internally restricted contexts. By deploying ProxyBlob, operators tunnelled remote desktop sessions covertly, bypassing traditional firewall restrictions
2. Testing Environment Evaders
Security teams use ProxyBlob to verify how easily compromised hosts could exfiltrate data via sanctioned services like azureblobstorage. It highlights gaps in zero-trust and internal flow segmentation.
3. Local Testing with Azurite
Developers and auditors can run ProxyBlob locally using Azurite, Microsoft’s open-source storage emulator. This supports safe proof-of-concept testing for red/blue teams.
Performance & Limitations
ProxyBlob is not high-speed instrumentation; it achieved ~1.5 Mbps transfers across regions in tests, a threshold sufficient for file transfers, interactive shell sessions, or RDP within internal networks.
Workload optimisation involves choosing storage locations closest to the agent and proxy to reduce latency.
Operational Considerations
- OPSEC hygiene: containers and tokens should be rotated regularly to avoid reuse
- Firewall monitoring: requests to
blob.core.windows.netmay appear benign, but could indicate covert channels - Credential hygiene: minimise SAS token scope and lifetime
- Audit logs: review storage access logs for unusual agent interactions
Conclusion
ProxyBlob is a novel and technically elegant method to tunnel sockets via an object storage provider, leveraging the near-universal reachability of Azure Blob endpoints. It highlights how legitimate cloud services can serve as covert channels in network defence and red team engagements.
For red teamers, penetration testers, and network defenders, ProxyBlob is a crucial tool for understanding and testing potential Azure-based covert exfiltration channels.
You can read more or download ProxyBlob here: https://github.com/quarkslab/proxyblob.