AZT301.4 - Virtual Machine Scripting: Compute Gallery Application#
By utilizing Compute Gallery Applications, an attacker can pass MS-DOS or PowerShell commands to the VM as SYSTEM.
Actions
- Microsoft.Compute/virtualMachines/write
- Microsoft.Compute/galleries/write
- Microsoft.Compute/galleries/applications/write
- Microsoft.Compute/galleries/applications/versions/write
Resource
Virtual Machine
Examples
Detections
Logs#
Data Source | Operation Name | Action | Log Location |
---|---|---|---|
Resource | Create or Update Gallery Application Version | Microsoft.Compute/galleries/applications/versions/write | Azure Activity Log |
Resource | Create or Update Gallery Application | Microsoft.Compute/galleries/applications/write | Azure Portal |
Resource | Create or Update Gallery Application Version | Microsoft.Compute/galleries/applications/versions/write | Azure Activity Log |
Resource | Create or Update Gallery Application Version | Microsoft.Compute/galleries/applications/versions/write | Azure Activity Log |
On-Resource File | File Creation | N/A | C:\Packages\Plugins\Microsoft.Powershell.DSC\2.83.2.0\Status |
Queries#
|where OperationNameValue=="Microsoft.Compute/galleries/applications/versions/write"
Additional Resources
https://docs.microsoft.com/en-us/azure/virtual-machines/vm-applications