Skip to content

AZT301.6 - Virtual Machine Scripting: Vmss Run Command#

By utilizing the 'RunCommand' feature on a virtual machine scale set (Vmss), an attacker can execute a command on an instance or instances of VMs as:

  • Windows: PowerShell commands to the VM as SYSTEM.

  • Linux: Shell commands to the VM as root.

Resource

  • Virtual Machine Scale Sets

Actions

  • Microsoft.Compute/virtualMachineScaleSets/virtualMachines/runCommand/action

Detections

Detection Details#

  • Windows: The commands are stored as .PS1 files.
  • Linux: The commands are stored as script.sh files.

Logs#

Data Source Operation Name Action Log Location
Resource Run Command on a Virtual Machine instance in a Virtual Machine Scale Set Microsoft.Compute/virtualMachineScaleSets/virtualMachines/runCommand/action Azure Activity Log
On-Resource File (Windows) File Creation N/A C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.11\Downloads
On-Resource File (Windows) File Creation N/A C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.11\Status
On-Resource File (Linux) File Creation N/A /var/lib/waagent/run-command/download/
On-Resource File (Linux) File Creation N/A /var/lib/waagent/Microsoft.CPlat.Core.RunCommandLinux-1.0.3/status/

Queries#

   |where OperationNameValue=="Microsoft.Compute/virtualMachineScaleSets/virtualMachines/runCommand/action"