Skip to content

AZT301.1 - Virtual Machine Scripting: RunCommand#

By utilizing the 'RunCommand' feature on a Virtual Machine, an attacker can pass:

  • Windows: PowerShell commands to the VM as SYSTEM.

  • Linux: Shell commands to the VM as root.

Resource

  • Virtual Machine

Actions

  • Microsoft.Compute/virtualMachines/runCommand/action
  • Microsoft.Compute/locations/runCommands/read

Detections

Detection Details#

  • Windows: The commands are stored as .PS1 files.
  • Linux: The commands are stored as script.sh files.

Logs#

Data Source Operation Name Action/On-Disk Location Log Provider
Resource Run Command on Virtual Machine Microsoft.Compute/virtualMachines/runCommand/action AzureActivity
On-Resource File (Windows) File Creation C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.11\Downloads Event
On-Resource File (Windows) File Creation C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.11\Status Event
On-Resource File (Linux) File Creation /var/lib/waagent/run-command/download/ syslog
On-Resource File (Linux) File Creation /var/lib/waagent/Microsoft.CPlat.Core.RunCommandLinux-1.0.3/status/ syslog

Queries#

Platform Query
Log Analytics let timeframe = toscalar(AzureActivity | where OperationNameValue == 'MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION' and ActivityStatusValue == 'Success' | distinct TimeGenerated); Event | where EventID == '4104' and RenderedDescription has 'RunCommandWindows' | where (timeframe - TimeGenerated) <= 1m
Log Analytics AzureActivity | where OperationNameValue has 'MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION' and ActivityStatusValue == 'Success' or OperationNameValue has 'MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMANDS/WRITE' and ActivityStatusValue == 'Success'

Azure Monitor Alert#

For resources with Azure Monitor Agent installed

Deploy to Azure

For resources without Azure Monitor Agent installed

Deploy to Azure