Execution#
The adversary is trying to run malicious code.
Execution in Azure consists of techniques that run code either through a managed device, virtual machine, or on an unmanaged host. Execution specifically is attributable to when malicious code is ran in an attempt to gain access to a host/device.
ID | Name | Description | |
---|---|---|---|
AZT301 | Virtual Machine Scripting | Adversaries may abuse access to virtual machines by executing a script through various methods in order to gain access to the Virtual Machine. | |
.001 | RunCommand | By utilizing the 'RunCommand' feature on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM. | |
.002 | CustomScriptExtension | By utilizing the 'CustomScriptExtension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM. | |
.003 | Desired State Configuration | By utilizing the 'Desired State Configuration extension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM. | |
.004 | Compute Gallery Application | By utilizing Compute Gallery Applications, an attacker can pass MS-DOS or PowerShell commands to the VM as SYSTEM. | |
.005 | AKS Command Invoke | By utilizing 'command invoke' on an Azure Kubernetes Service (AKS) cluster, an attacker can pass commands to the cluster's VM as SYSTEM | |
.006 | Vmss Run Command | By utilizing the 'RunCommand' feature on a virtual machine scale set (vmss), an attacker can execute a command on an instance of a VM as SYSTEM. | |
.007 | Serial Console | By utilizing the serial console feature on an Azure Virtual Machine, an adversary can pass arbitrary commands. | |
AZT302 | Serverless Scripting | Adversaries may abuse access to serverless resources that are able to execute PowerShell or Python scripts on an Azure Resource. | |
.001 | Automation Account Runbook Hybrid Worker Group | By utilizing an Automation Account configured with a Hybrid Worker Group, an attacker can execute Azure commands on any Azure VM within that Hybrid Worker Group. | |
.002 | Automation Account Runbook RunAs Account | By utilizing an Automation Account configured with a RunAs account, an attacker can execute commands on an Azure VM via RunCommand if that service principal has the correct role and privileges. | |
.003 | Automation Account Runbook Managed Identity | By utilizing an Automation Account configured with a Managed Identity, an attacker can execute commands on an Azure VM via RunCommand if that service principal has the correct role and privileges. | |
.004 | Function Application | By utilizing a Function Application, an attacker can execute Azure operations on a given resource. | |
AZT303 | Managed Device Scripting | Adversaries may abuse access to any managed devices in AzureAD by executing PowerShell or Python scripts on them. |