AZT301.1 - Virtual Machine Scripting: RunCommand

By utilizing the 'RunCommand' feature on a Virtual Machine, an attacker can pass:

• Windows: PowerShell commands to the VM as SYSTEM.

• Linux: Shell commands to the VM as root.

Resource

• Virtual Machine

Actions

• Microsoft.Compute/virtualMachines/runCommand/action
• Microsoft.Compute/locations/runCommands/read

Examples

Az PowerShellAzure CLIAzure REST APIAzure Portal

Invoke-AzVMRunCommand

az vm run-command

POST https://management.azure.com/subscriptions/{sub id}/resourceGroups/{rg name}/providers/Microsoft.Compute/virtualMachines/{vm name}/runCommand?api-version=2022-03-01

Detections

Detection Details

• Windows: The commands are stored as .PS1 files.
• Linux: The commands are stored as script.sh files.

Logs

Data Source	Operation Name	Action	Log Location
Resource	Run Command on Virtual Machine	Microsoft.Compute/virtualMachines/runCommand/action	Azure Activity Log
On-Resource File (Windows)	File Creation	N/A	C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.11\Downloads
On-Resource File (Windows)	File Creation	N/A	C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.11\Status
On-Resource File (Linux)	File Creation	N/A	/var/lib/waagent/run-command/download/
On-Resource File (Linux)	File Creation	N/A	/var/lib/waagent/Microsoft.CPlat.Core.RunCommandLinux-1.0.3/status/

Queries

Log Analytics

   |where OperationNameValue=="Microsoft.Compute/virtualMachines/runCommand/action"

Additional Resources

• https://docs.microsoft.com/en-us/azure/virtual-machines/windows/run-command
• https://docs.microsoft.com/en-us/azure/virtual-machines/linux/run-command
• https://stratus-red-team.cloud/attack-techniques/azure/azure.execution.vm-run-command/