AZT301.6 - Virtual Machine Scripting: Vmss Run Command

By utilizing the 'RunCommand' feature on a virtual machine scale set (Vmss), an attacker can execute a command on an instance or instances of VMs as:

• Windows: PowerShell commands to the VM as SYSTEM.

• Linux: Shell commands to the VM as root.

Resource

• Virtual Machine Scale Sets

Actions

• Microsoft.Compute/virtualMachineScaleSets/virtualMachines/runCommand/action

Examples

Az PowerShellAzure CLIAzure REST API

Invoke-AzVmssVMRunCommand

az vmss run-command

PATCH https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachineScaleSets/{vmScaleSetName}/virtualMachines/{instanceId}/runCommands/{runCommandName}?api-version=2022-03-01

Detections

Detection Details

• Windows: The commands are stored as .PS1 files.
• Linux: The commands are stored as script.sh files.

Logs

Data Source	Operation Name	Action/On-Disk Location	Log Provider
Resource	Run Command on a Virtual Machine instance in a Virtual Machine Scale Set	Microsoft.Compute/virtualMachineScaleSets/virtualMachines/runCommand/action	AzureActivity
On-Resource File (Windows)	File Creation	C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.11\Downloads	Event
On-Resource File (Windows)	File Creation	C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.11\Status	Event
On-Resource File (Linux)	File Creation	/var/lib/waagent/run-command/download/	syslog
On-Resource File (Linux)	File Creation	/var/lib/waagent/Microsoft.CPlat.Core.RunCommandLinux-1.0.3/status/	syslog

Queries

Platform	Query
Log Analytics	AzureActivity | where OperationNameValue=='Microsoft.Compute/virtualMachineScaleSets/virtualMachines/runCommand/action'

Azure Monitor Alert

Additional Resources

• https://docs.microsoft.com/en-us/azure/virtual-machines/windows/run-command
• https://docs.microsoft.com/en-us/azure/virtual-machines/linux/run-command