Skip to content

Execute Commands on Virtual Machine using Run Command

slow idempotent

Platform: Azure

MITRE ATT&CK Tactics

  • Execution

Description

By utilizing the 'RunCommand' feature on a Virtual Machine, an attacker can pass:

  • Windows: PowerShell commands to the VM as SYSTEM.
  • Linux: Shell commands to the VM as root.

References:

Warm-up:

  • Create a virtual machine

Detonation:

  • Invoke a RunCommand on the target virtual machine

Instructions

Detonate with Stratus Red Team
stratus detonate azure.execution.vm-run-command

Detection

Identify Microsoft.Compute/virtualMachines/runCommand/action and Microsoft.Compute/virtualMachines/runCommands/write events in Azure Activity logs.

Sample event (redacted for clarity):

{
    "caller": "you@domain.tld",
    "eventTimestamp": "2022-06-01T11:39:35.6986539Z",
    "id": "/subscriptions/<your-subscription-id>/resourceGroups/rg-4x3tj2hb/providers/Microsoft.Compute/virtualMachines/vm-4x3tj2hb/events/25235036-3b0c-46e7-97d0-5bea476a6ab8/ticks/637896803756986539",
    "level": "Informational",
    "operationName": {
        "value": "Microsoft.Compute/virtualMachines/runCommand/action",
        "localizedValue": "Run Command on Virtual Machine"
    },
    "resourceGroupName": "rg-4x3tj2hb",
    "resourceProviderName": {
        "value": "Microsoft.Compute",
        "localizedValue": "Microsoft.Compute"
    },
    "resourceType": {
        "value": "Microsoft.Compute/virtualMachines",
        "localizedValue": "Microsoft.Compute/virtualMachines"
    },
    "resourceId": "/subscriptions/<your-subscription-id>/resourceGroups/rg-4x3tj2hb/providers/Microsoft.Compute/virtualMachines/vm-4x3tj2hb",
    "status": {
        "value": "Succeeded",
        "localizedValue": "Succeeded"
    },
    "properties": {
        "eventCategory": "Administrative",
        "entity": "/subscriptions/<your-subscription-id>/resourceGroups/rg-4x3tj2hb/providers/Microsoft.Compute/virtualMachines/vm-4x3tj2hb",
        "message": "Microsoft.Compute/virtualMachines/runCommand/action",
        "hierarchy": "<your-tenant-id>/<your-subscription-id>"
    },
    "relatedEvents": []
}