AZT301.4 - Virtual Machine Scripting: Compute Gallery Application

By utilizing Compute Gallery Applications, an attacker can pass MS-DOS or PowerShell commands to the VM as SYSTEM.

Actions

• Microsoft.Compute/virtualMachines/write
• Microsoft.Compute/galleries/write
• Microsoft.Compute/galleries/applications/write
• Microsoft.Compute/galleries/applications/versions/write

Resource

Virtual Machine

Examples

Az PowerShellAzure CLIAzure REST APIAzure Portal

• New-AzGalleryApplication

• New-AzGalleryApplicationVersion

• az sig gallery-application create
• az sig image-version create

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/galleries/{galleryName}/applications/{galleryApplicationName}?api-version=2021-10-01

Detections

Logs

Data Source	Operation Name	Action	Log Location
Resource	Create or Update Gallery Application Version	Microsoft.Compute/galleries/applications/versions/write	Azure Activity Log
Resource	Create or Update Gallery Application	Microsoft.Compute/galleries/applications/write	Azure Portal
Resource	Create or Update Gallery Application Version	Microsoft.Compute/galleries/applications/versions/write	Azure Activity Log
Resource	Create or Update Gallery Application Version	Microsoft.Compute/galleries/applications/versions/write	Azure Activity Log
On-Resource File	File Creation	N/A	C:\Packages\Plugins\Microsoft.Powershell.DSC\2.83.2.0\Status

Queries

Log Analytics

 |where OperationNameValue=="Microsoft.Compute/galleries/applications/versions/write" 

Additional Resources

https://docs.microsoft.com/en-us/azure/virtual-machines/vm-applications