AZT501.3 - Account Manipulation: Azure VM Local Administrator Manipulation#
An adverary may manipulate the local admin account on an Azure VM
Resource
Azure Active Directory
Actions
- microsoft.compute/virtualMachines/extensions/write
Examples
Detections
Detection Details#
After a successful reset, the log 'Validate Deployment' will be created. Specifically, in the scope, a password reset will be mentioned "VMAccessWindowsPasswordReset".
Logs#
Data Source | Operation Name | Action | Log Location |
---|---|---|---|
Resource | Create or Udpate Virutal Machine Extension | microsoft.compute/virtualMachines/extensions/write | Azure Activity Log |
Resource | Validate Deployment | Microsoft.Resources/deployments/validate/action | Azure Activity Log |
Queries#
AzureActivity
|where OperationNameValue=="microsoft.compute/virtualMachines/extensions/write" or OperationNameValue=="Microsoft.Resources/deployments/validate/action"
Detection Screenshot#
Additional Resources
https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/reset-rdp