AZT501.3 - Account Manipulation: Azure VM Local Administrator Manipulation#

An adverary may manipulate the local admin account on an Azure VM

Resource

Azure Active Directory

Actions

microsoft.compute/virtualMachines/extensions/write

Examples

Az PowerShellAzure CLIAzure REST APIAzure Portal

Set-AzVMAccessExtension

az vm extension set

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmName}/extensions/{vmExtensionName}?api-version=2022-03-01

localadminreset

Detections

Detection Details#

After a successful reset, the log 'Validate Deployment' will be created. Specifically, in the scope, a password reset will be mentioned "VMAccessWindowsPasswordReset".

Logs#

Data Source	Operation Name	Action	Log Location
Resource	Create or Udpate Virutal Machine Extension	microsoft.compute/virtualMachines/extensions/write	Azure Activity Log
Resource	Validate Deployment	Microsoft.Resources/deployments/validate/action	Azure Activity Log

Queries#

Log Analytics

AzureActivity 
|where OperationNameValue=="microsoft.compute/virtualMachines/extensions/write" or OperationNameValue=="Microsoft.Resources/deployments/validate/action"

Detection Screenshot#

validate

Additional Resources

https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/reset-rdp