azure attacks virtual-machines Executing commands on a virtual machine through Run Command

Executing commands on a virtual machine through Run Command

PLATFORM

SERVICE

virtual-machines

DATA BREACHES

known

LAST UPDATED

EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.

medium

high

About

An attacker can abuse the native Azure feature "Run Command" to execute commands on a virtual machine.

Understanding Impact

Business Impact

Execution of malicious software on a virtual machine can lead to unauthorized data access and data loss.

Technical Impact

The Azure feature "Run Command" allows you to execute commands on a virtual machine. This feature is typically used for troubleshooting purposes, but can also be used by attackers to execute malicious software on a virtual machine.

Note that using this feature does not require any network connectivity to the virtual machine, as everything is done through the Azure control plane.

Detection

You can detect when a command is executed on a virtual machine through the Azure Activity log event Microsoft.Compute/virtualMachines/runCommand/action event. Sample event, shortened for readability:

{
    "id": "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Compute/virtualMachines/<vm-name>/events/9b4d3532-8db7-4d04-83e4-0fda7fb2d5b6/ticks/638288229632759533",
    "operationName": {
        "value": "Microsoft.Compute/virtualMachines/runCommand/action",
        "localizedValue": "Run Command on Virtual Machine"
    },
    "resourceGroupName": "<resource-group>",
    "resourceProviderName": {
        "value": "Microsoft.Compute"
    },
    "resourceType": {
        "value": "Microsoft.Compute/virtualMachines"
    },
    "resourceId": "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Compute/virtualMachines/<vm-name>",
    "status": {
        "value": "Succeeded"
    },
    "subscriptionId": "<subscription-id>",
    "tenantId": "9b0132ed-9474-4670-8f0f-6de661128f95",
    "properties": {
        "eventCategory": "Administrative",
        "entity": "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Compute/virtualMachines/<vm-name>",
        "message": "Microsoft.Compute/virtualMachines/runCommand/action",
    }
}

Reproduce the attack

You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:

stratus detonate azure.execution.vm-run-command

See also the related documentation.

How Datadog can help

Cloud SIEM

Datadog Cloud SIEM detects this attack using the out-of-the-box rule "User ran a command on Azure Compute".

References

Stratus Red Team - Execute Commands on Virtual Machine using Run Command

stratus-red-team.cloud

Run scripts in your Windows VM by using action Run Commands

azure documentation

Crowdstrike 2023 threat hunting report (p. 34)

go.crowdstrike.com

NOBELIUM targeting delegated administrative privileges to facilitate broader attacks

microsoft.com

Did you find this article helpful?

work with us

We're always looking for talented people to collaborate with

featured positions

We have 12 positions

view all