Skip to content
Threat Feed

Product

Azure Virtual Machines

4 briefs RSS
medium advisory

Azure VM Managed Run Command Abuse for Execution and Persistence

Adversaries can abuse the Azure VM Managed Run Command feature (MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMANDS/WRITE) to achieve code execution as System or root and establish persistence on Azure Virtual Machines or Virtual Machine Scale Sets by an unusual identity, potentially evading detections focused solely on action-based Run Commands.

Azure Virtual Machines +2 cloud azure execution persistence defense-evasion vm iac
2r 1t
medium advisory

Azure Run Command Script Child Process

This rule identifies suspicious process start events where the parent process matches Azure Virtual Machine Run Command execution patterns on Windows (PowerShell with `-ExecutionPolicy Unrestricted` and `script?.ps1`) or Linux (waagent running `script.sh` under `/var/lib/waagent/run-command/`), exposing on-guest payloads.

Azure Virtual Machines cloud endpoint azure execution azure-run-command
2r 3t
medium advisory

Azure VM Extension Deployment by Interactive User

Successful deployment of a high-risk Azure Virtual Machine extension by an interactive user principal can lead to arbitrary code execution, backdoor account creation, credential harvesting, and persistence on Azure-hosted virtual machines.

Azure Virtual Machines +4 azure vm-extension persistence cloud threat-detection
2r 3t
medium advisory

Azure Compute VM Command Execution Detected

Successful execution of commands on Azure Virtual Machines, specifically the MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION operation, may indicate unauthorized activity or lateral movement attempts.

Azure Virtual Machines +1 azure execution cloud vm
2r 1t