Skip to content

AZT301.4 - Virtual Machine Scripting: Compute Gallery Application#

By utilizing Compute Gallery Applications, an attacker can pass MS-DOS or PowerShell commands to the VM as SYSTEM.

Actions

  • Microsoft.Compute/virtualMachines/write
  • Microsoft.Compute/galleries/write
  • Microsoft.Compute/galleries/applications/write
  • Microsoft.Compute/galleries/applications/versions/write

Resource

Virtual Machine

Detections

Logs#

Data Source Operation Name Action Log Location
Resource Create or Update Gallery Application Version Microsoft.Compute/galleries/applications/versions/write Azure Activity Log
Resource Create or Update Gallery Application Microsoft.Compute/galleries/applications/write Azure Portal
Resource Create or Update Gallery Application Version Microsoft.Compute/galleries/applications/versions/write Azure Activity Log
Resource Create or Update Gallery Application Version Microsoft.Compute/galleries/applications/versions/write Azure Activity Log
On-Resource File File Creation N/A C:\Packages\Plugins\Microsoft.Powershell.DSC\2.83.2.0\Status

Queries#

 |where OperationNameValue=="Microsoft.Compute/galleries/applications/versions/write"