Skip to content

AZT301.1 - Virtual Machine Scripting: RunCommand#

By utilizing the 'RunCommand' feature on a Virtual Machine, an attacker can pass:

  • Windows: PowerShell commands to the VM as SYSTEM.

  • Linux: Shell commands to the VM as root.

Resource

  • Virtual Machine

Actions

  • Microsoft.Compute/virtualMachines/runCommand/action
  • Microsoft.Compute/locations/runCommands/read

Detections

Detection Details#

  • Windows: The commands are stored as .PS1 files.
  • Linux: The commands are stored as script.sh files.

Logs#

Data Source Operation Name Action Log Location
Resource Run Command on Virtual Machine Microsoft.Compute/virtualMachines/runCommand/action Azure Activity Log
On-Resource File (Windows) File Creation N/A C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.11\Downloads
On-Resource File (Windows) File Creation N/A C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.11\Status
On-Resource File (Linux) File Creation N/A /var/lib/waagent/run-command/download/
On-Resource File (Linux) File Creation N/A /var/lib/waagent/Microsoft.CPlat.Core.RunCommandLinux-1.0.3/status/

Queries#

   |where OperationNameValue=="Microsoft.Compute/virtualMachines/runCommand/action"