{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/azure-run-command/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Virtual Machines","Azure Virtual Machine Scale Sets","Azure Run Command"],"_cs_severities":["medium"],"_cs_tags":["cloud","azure","execution","persistence","defense-evasion","vm","iac"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAdversaries are known to leverage legitimate cloud platform functionalities for malicious purposes, and the Azure VM Managed Run Command is one such target. This feature allows for the creation or update of a persistent resource on an Azure Virtual Machine or Virtual Machine Scale Set, which executes a supplied script with high privileges (System on Windows, root on Linux). Unlike the ephemeral \u0026quot;runCommand/action,\u0026quot; the managed Run Command, identified by operations such as \u0026quot;MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMANDS/WRITE,\u0026quot; leaves a durable object, making it suitable for establishing persistence. This technique allows attackers to evade detection mechanisms that primarily monitor transient command executions. Detection focuses on identifying instances where an identity that has not previously performed this operation initiates a managed run command, signaling unusual or unauthorized activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to an Azure environment, typically through compromised credentials for an Azure Active Directory principal with sufficient permissions (e.g., Virtual Machine Contributor, Owner role on a resource group or subscription).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker identifies target Azure Virtual Machines or Virtual Machine Scale Sets that can be accessed and abused for execution and persistence.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e To avoid detection by security tools monitoring common execution methods, the attacker opts to use the less commonly scrutinized Managed Run Command (\u003ccode\u003eruncommands/write\u003c/code\u003e) instead of the action-based \u003ccode\u003erunCommand/action\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution via Managed Run Command:\u003c/strong\u003e The compromised principal creates or updates a Managed Run Command resource on the target VM/VMSS, embedding a malicious script. This action executes the script as System (Windows) or root (Linux) upon creation/update.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence Establishment:\u003c/strong\u003e The Managed Run Command resource itself serves as a persistent backdoor, allowing the attacker to re-execute the script or maintain a foothold.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control (C2):\u003c/strong\u003e The executed script establishes a C2 channel, allowing the attacker to remotely control the compromised VM.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement / Data Exfiltration:\u003c/strong\u003e With C2 established and high privileges, the attacker proceeds with further objectives, such as lateral movement within the Azure environment or exfiltration of sensitive data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker maintains control and can perform arbitrary actions on the compromised virtual machine.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique grants adversaries System (Windows) or root (Linux) level code execution on targeted Azure Virtual Machines and Virtual Machine Scale Sets. This leads to persistent access to the compromised resources, allowing attackers to establish command and control, deploy additional malware, steal sensitive data, pivot to other resources within the Azure subscription, or disrupt operations. The persistent nature of the managed run command means that even after a potential reboot, the attacker's script could re-execute, maintaining the breach. While specific victim counts are not available for this technique, it poses a significant risk to any organization utilizing Azure IaaS with insufficient logging or monitoring.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM solution to detect suspicious Azure Managed Run Command operations.\u003c/li\u003e\n\u003cli\u003eConfigure Azure Activity Logs to be ingested into your SIEM for correlation and analysis, specifically for the \u003ccode\u003eMICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMANDS/WRITE\u003c/code\u003e operation.\u003c/li\u003e\n\u003cli\u003eBaseline expected service principals, managed identities, and administrator users that legitimately create or update Azure VM Managed Run Commands and exclude them from alerting to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate \u003ccode\u003eazure.activitylogs.identity.authorization.evidence.principal_id\u003c/code\u003e for any unusual principal executing managed run commands.\u003c/li\u003e\n\u003cli\u003eReview the RBAC roles assigned to principals triggering these alerts, focusing on least privilege.\u003c/li\u003e\n\u003cli\u003eCorrelate alerts with \u003ccode\u003esource.ip\u003c/code\u003e to identify if the activity originates from unusual or untrusted IP addresses.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-19T15:50:17Z","date_published":"2026-06-19T15:50:17Z","id":"https://feed.craftedsignal.io/briefs/2026-06-azure-vm-run-command-abuse/","summary":"Adversaries can abuse the Azure VM Managed Run Command feature (MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMANDS/WRITE) to achieve code execution as System or root and establish persistence on Azure Virtual Machines or Virtual Machine Scale Sets by an unusual identity, potentially evading detections focused solely on action-based Run Commands.","title":"Azure VM Managed Run Command Abuse for Execution and Persistence","url":"https://feed.craftedsignal.io/briefs/2026-06-azure-vm-run-command-abuse/"}],"language":"en","title":"CraftedSignal Threat Feed - Azure Run Command","version":"https://jsonfeed.org/version/1.1"}