Execute Commands on Virtual Machine using Run Command

slow idempotent

Platform: Azure

MITRE ATT&CK Tactics

• Execution

Description

By utilizing the 'RunCommand' feature on a Virtual Machine, an attacker can pass:

• Windows: PowerShell commands to the VM as SYSTEM.
• Linux: Shell commands to the VM as root.

References:

• https://docs.microsoft.com/en-us/azure/virtual-machines/windows/run-command
• https://docs.microsoft.com/en-us/azure/virtual-machines/linux/run-command
• https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-1/
• https://go.crowdstrike.com/rs/281-OBQ-266/images/report-crowdstrike-2023-threat-hunting-report.pdf (page 34)
• https://cloud.google.com/blog/topics/threat-intelligence/russian-targeting-gov-business

Warm-up:

• Create a virtual machine

Detonation:

• Invoke a RunCommand on the target virtual machine

Instructions

Detonate with Stratus Red Team

stratus detonate azure.execution.vm-run-command

Detection

Identify Microsoft.Compute/virtualMachines/runCommand/action and Microsoft.Compute/virtualMachines/runCommands/write events in Azure Activity logs.

Sample event (redacted for clarity):

{
    "caller": "you@domain.tld",
    "eventTimestamp": "2022-06-01T11:39:35.6986539Z",
    "id": "/subscriptions/<your-subscription-id>/resourceGroups/rg-4x3tj2hb/providers/Microsoft.Compute/virtualMachines/vm-4x3tj2hb/events/25235036-3b0c-46e7-97d0-5bea476a6ab8/ticks/637896803756986539",
    "level": "Informational",
    "operationName": {
        "value": "Microsoft.Compute/virtualMachines/runCommand/action",
        "localizedValue": "Run Command on Virtual Machine"
    },
    "resourceGroupName": "rg-4x3tj2hb",
    "resourceProviderName": {
        "value": "Microsoft.Compute",
        "localizedValue": "Microsoft.Compute"
    },
    "resourceType": {
        "value": "Microsoft.Compute/virtualMachines",
        "localizedValue": "Microsoft.Compute/virtualMachines"
    },
    "resourceId": "/subscriptions/<your-subscription-id>/resourceGroups/rg-4x3tj2hb/providers/Microsoft.Compute/virtualMachines/vm-4x3tj2hb",
    "status": {
        "value": "Succeeded",
        "localizedValue": "Succeeded"
    },
    "properties": {
        "eventCategory": "Administrative",
        "entity": "/subscriptions/<your-subscription-id>/resourceGroups/rg-4x3tj2hb/providers/Microsoft.Compute/virtualMachines/vm-4x3tj2hb",
        "message": "Microsoft.Compute/virtualMachines/runCommand/action",
        "hierarchy": "<your-tenant-id>/<your-subscription-id>"
    },
    "relatedEvents": []
}