Skip to content

AZT501.3 - Account Manipulation: Azure VM Local Administrator Manipulation#

An adverary may manipulate the local admin account on an Azure VM

Resource

Azure Active Directory

Actions

  • microsoft.compute/virtualMachines/extensions/write

Detections

Detection Details#

After a successful reset, the log 'Validate Deployment' will be created. Specifically, in the scope, a password reset will be mentioned "VMAccessWindowsPasswordReset".

Logs#

Data Source Operation Name Action Log Location
Resource Create or Udpate Virutal Machine Extension microsoft.compute/virtualMachines/extensions/write Azure Activity Log
Resource Validate Deployment Microsoft.Resources/deployments/validate/action Azure Activity Log

Queries#

AzureActivity 
|where OperationNameValue=="microsoft.compute/virtualMachines/extensions/write" or OperationNameValue=="Microsoft.Resources/deployments/validate/action"

Detection Screenshot#

validate