Skip to content

AZT301 - Virtual Machine Scripting#

Adversaries may abuse access to virtual machines by executing a script through various methods in order to gain access to the Virtual Machine.

ID Name Description Action Resources
AZT301.1 RunCommand By utilizing the 'RunCommand' feature on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM. Microsoft.Compute/virtualMachines/runCommand/action Virtual Machine
Microsoft.Compute/locations/runCommands/read
AZT301.2 CustomScriptExtension By utilizing the 'CustomScriptExtension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM. Microsoft.Compute/virtualMachines/extensions/* Virtual Machine
Microsoft.Compute/virtualMachines/write
AZT301.3 Desired State Configuration By utilizing the 'Desired State Configuration extension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM. Microsoft.Compute/virtualMachines/extensions/* Virtual Machine
Microsoft.Compute/virtualMachines/write
AZT301.4 Compute Gallery Application By utilizing Compute Gallery Applications, an attacker can pass MS-DOS or PowerShell commands to the VM as SYSTEM. Microsoft.Compute/virtualMachines/write Virtual Machine, Compute Gallery
Microsoft.Compute/galleries/write
Microsoft.Compute/galleries/applications/write
Microsoft.Compute/galleries/applications/versions/write
AZT301.5 AKS Command Invoke By utilizing 'command invoke' on an Azure Kubernetes Service (AKS) cluster, an attacker can pass commands to the cluster's VM as SYSTEM Microsoft.ContainerService/managedClusters/runcommand/action Azure Kubernetes Services
Microsoft.ContainerService/managedclusters/commandResults/read
AZT301.6 Vmss Run Command By utilizing the 'RunCommand' feature on a virtual machine scale set (vmss), an attacker can execute a command on an instance of a VM as SYSTEM Microsoft.Compute/virtualMachineScaleSets/virtualMachines/runCommand/action Virtual Machine Scale Sets
AZT301.7 Serial Console By utilizing the serial console feature on an Azure Virtual Machine, an adversary can pass arbitrary commands. Microsoft.SerialConsole/serialPorts/connect/action Virtual Machine