{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/azure-run-command/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Virtual Machines"],"_cs_severities":["medium"],"_cs_tags":["cloud","endpoint","azure","execution","azure-run-command"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAzure VM Run Command executes scripts on guest machines without requiring interactive RDP or SSH sessions. This feature is often used for legitimate administrative tasks, but can be abused to execute malicious payloads directly on the VM. On Windows, the Run Command typically initiates PowerShell with the \u003ccode\u003e-ExecutionPolicy Unrestricted\u003c/code\u003e parameter and executes a \u003ccode\u003escript?.ps1\u003c/code\u003e file. On Linux, the Azure Linux Agent (waagent) executes downloaded scripts, typically named \u003ccode\u003escript.sh\u003c/code\u003e, located under the \u003ccode\u003e/var/lib/waagent/run-command/\u003c/code\u003e directory. Monitoring child processes initiated by these Run Command patterns is crucial because it exposes the actual on-guest payload that might not be fully visible in cloud activity logs. This behavior allows defenders to identify potentially malicious scripts being executed within Azure VMs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to an Azure account or VM with sufficient privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages Azure Run Command to execute a script on a target VM.\u003c/li\u003e\n\u003cli\u003eOn Windows, the Run Command initiates a PowerShell process with \u003ccode\u003e-ExecutionPolicy Unrestricted -File script?.ps1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThis PowerShell script executes a malicious payload, such as downloading and running an executable.\u003c/li\u003e\n\u003cli\u003eOn Linux, the Run Command causes waagent to download and execute \u003ccode\u003e/var/lib/waagent/run-command/download/*/script.sh\u003c/code\u003e via \u003ccode\u003ebash\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe shell script performs malicious actions, such as installing backdoors or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe malicious payload establishes persistence on the VM.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised VM to move laterally within the network or achieve other objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via Azure Run Command can lead to unauthorized code execution within Azure Virtual Machines. This can result in data theft, installation of malware, or the compromise of sensitive systems. While the exact number of affected organizations is unknown, this technique poses a significant risk to any organization utilizing Azure VMs without proper monitoring and access controls. The lack of detailed logging in cloud activity logs makes detection challenging, increasing the potential for undetected breaches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Azure Run Command Script Child Process - Windows\u0026rdquo; to detect child processes of PowerShell executing scripts with unrestricted execution policy (related to \u003ccode\u003eprocess.parent.command_line\u003c/code\u003e and \u003ccode\u003eprocess.name\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Azure Run Command Script Child Process - Linux\u0026rdquo; to detect child processes of shell interpreters executing scripts in the waagent run-command directory (related to \u003ccode\u003eprocess.parent.args\u003c/code\u003e and \u003ccode\u003eprocess.parent.name\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eCorrelate process creation events with Azure activity logs for \u003ccode\u003eMICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\u003c/code\u003e events when available, as suggested in the rule\u0026rsquo;s note section.\u003c/li\u003e\n\u003cli\u003eImplement strict Azure RBAC policies to limit which users and service principals can execute Run Command actions.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit Azure activity logs for suspicious Run Command usage patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-01T13:48:14Z","date_published":"2026-06-01T13:48:14Z","id":"https://feed.craftedsignal.io/briefs/2026-06-azure-run-command-script-child-process/","summary":"This rule identifies suspicious process start events where the parent process matches Azure Virtual Machine Run Command execution patterns on Windows (PowerShell with `-ExecutionPolicy Unrestricted` and `script?.ps1`) or Linux (waagent running `script.sh` under `/var/lib/waagent/run-command/`), exposing on-guest payloads.","title":"Azure Run Command Script Child Process","url":"https://feed.craftedsignal.io/briefs/2026-06-azure-run-command-script-child-process/"}],"language":"en","title":"CraftedSignal Threat Feed — Azure-Run-Command","version":"https://jsonfeed.org/version/1.1"}