AZT301.1 - Virtual Machine Scripting: RunCommand#
By utilizing the 'RunCommand' feature on a Virtual Machine, an attacker can pass:
-
Windows: PowerShell commands to the VM as SYSTEM.
-
Linux: Shell commands to the VM as root.
Resource
- Virtual Machine
Actions
- Microsoft.Compute/virtualMachines/runCommand/action
- Microsoft.Compute/locations/runCommands/read
Examples
Detections
Detection Details#
- Windows: The commands are stored as .PS1 files.
- Linux: The commands are stored as script.sh files.
Logs#
| Data Source | Operation Name | Action/On-Disk Location | Log Provider |
|---|---|---|---|
| Resource | Run Command on Virtual Machine | Microsoft.Compute/virtualMachines/runCommand/action | AzureActivity |
| On-Resource File (Windows) | File Creation | C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.11\Downloads | Event |
| On-Resource File (Windows) | File Creation | C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.11\Status | Event |
| On-Resource File (Linux) | File Creation | /var/lib/waagent/run-command/download/ | syslog |
| On-Resource File (Linux) | File Creation | /var/lib/waagent/Microsoft.CPlat.Core.RunCommandLinux-1.0.3/status/ | syslog |
Queries#
| Platform | Query |
|---|---|
| Log Analytics | let timeframe = toscalar(AzureActivity | where OperationNameValue == 'MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION' and ActivityStatusValue == 'Success' | distinct TimeGenerated); Event | where EventID == '4104' and RenderedDescription has 'RunCommandWindows' | where (timeframe - TimeGenerated) <= 1m |
| Log Analytics | AzureActivity | where OperationNameValue has 'MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION' and ActivityStatusValue == 'Success' or OperationNameValue has 'MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMANDS/WRITE' and ActivityStatusValue == 'Success' |
Azure Monitor Alert#
For resources with Azure Monitor Agent installed
For resources without Azure Monitor Agent installed