Execution#
The adversary is trying to run malicious code.
Execution in Azure consists of techniques that run code either through a managed device, virtual machine, or on an unmanaged host. Execution specifically is attributable to when malicious code is ran in an attempt to gain access to a host/device.
| ID | Name | Description | |
|---|---|---|---|
| AZT301 | Virtual Machine Scripting | Adversaries may abuse access to virtual machines by executing a script through various methods in order to gain access to the Virtual Machine. | |
| .001 | RunCommand | By utilizing the 'RunCommand' feature on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM. | |
| .002 | CustomScriptExtension | By utilizing the 'CustomScriptExtension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM. | |
| .003 | Desired State Configuration | By utilizing the 'Desired State Configuration extension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM. | |
| .004 | Compute Gallery Application | By utilizing Compute Gallery Applications, an attacker can pass MS-DOS or PowerShell commands to the VM as SYSTEM. | |
| .005 | AKS Command Invoke | By utilizing 'command invoke' on an Azure Kubernetes Service (AKS) cluster, an attacker can pass commands to the cluster's VM as SYSTEM | |
| .006 | Vmss Run Command | By utilizing the 'RunCommand' feature on a virtual machine scale set (vmss), an attacker can execute a command on an instance of a VM as SYSTEM. | |
| .007 | Serial Console | By utilizing the serial console feature on an Azure Virtual Machine, an adversary can pass arbitrary commands. | |
| AZT302 | Serverless Scripting | Adversaries may abuse access to serverless resources that are able to execute PowerShell or Python scripts on an Azure Resource. | |
| .001 | Automation Account Runbook Hybrid Worker Group | By utilizing an Automation Account configured with a Hybrid Worker Group, an attacker can execute Azure commands on any Azure VM within that Hybrid Worker Group. | |
| .002 | Automation Account Runbook RunAs Account | By utilizing an Automation Account configured with a RunAs account, an attacker can execute commands on an Azure VM via RunCommand if that service principal has the correct role and privileges. | |
| .003 | Automation Account Runbook Managed Identity | By utilizing an Automation Account configured with a Managed Identity, an attacker can execute commands on an Azure VM via RunCommand if that service principal has the correct role and privileges. | |
| .004 | Function Application | By utilizing a Function Application, an attacker can execute Azure operations on a given resource. | |
| AZT303 | Managed Device Scripting | Adversaries may abuse access to any managed devices in AzureAD by executing PowerShell or Python scripts on them. |