Attack Chain

1. Initial Access: An attacker gains initial access to an Azure environment, typically through compromised credentials for an Azure Active Directory principal with sufficient permissions (e.g., Virtual Machine Contributor, Owner role on a resource group or subscription).
2. Reconnaissance: The attacker identifies target Azure Virtual Machines or Virtual Machine Scale Sets that can be accessed and abused for execution and persistence.
3. Defense Evasion: To avoid detection by security tools monitoring common execution methods, the attacker opts to use the less commonly scrutinized Managed Run Command (runcommands/write) instead of the action-based runCommand/action.
4. Execution via Managed Run Command: The compromised principal creates or updates a Managed Run Command resource on the target VM/VMSS, embedding a malicious script. This action executes the script as System (Windows) or root (Linux) upon creation/update.
5. Persistence Establishment: The Managed Run Command resource itself serves as a persistent backdoor, allowing the attacker to re-execute the script or maintain a foothold.
6. Command and Control (C2): The executed script establishes a C2 channel, allowing the attacker to remotely control the compromised VM.
7. Lateral Movement / Data Exfiltration: With C2 established and high privileges, the attacker proceeds with further objectives, such as lateral movement within the Azure environment or exfiltration of sensitive data.
8. Impact: The attacker maintains control and can perform arbitrary actions on the compromised virtual machine.

Impact

Successful exploitation of this technique grants adversaries System (Windows) or root (Linux) level code execution on targeted Azure Virtual Machines and Virtual Machine Scale Sets. This leads to persistent access to the compromised resources, allowing attackers to establish command and control, deploy additional malware, steal sensitive data, pivot to other resources within the Azure subscription, or disrupt operations. The persistent nature of the managed run command means that even after a potential reboot, the attacker's script could re-execute, maintaining the breach. While specific victim counts are not available for this technique, it poses a significant risk to any organization utilizing Azure IaaS with insufficient logging or monitoring.

Recommendation

• Deploy the provided Sigma rules to your SIEM solution to detect suspicious Azure Managed Run Command operations.
• Configure Azure Activity Logs to be ingested into your SIEM for correlation and analysis, specifically for the MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMANDS/WRITE operation.
• Baseline expected service principals, managed identities, and administrator users that legitimately create or update Azure VM Managed Run Commands and exclude them from alerting to reduce false positives.
• Investigate azure.activitylogs.identity.authorization.evidence.principal_id for any unusual principal executing managed run commands.
• Review the RBAC roles assigned to principals triggering these alerts, focusing on least privilege.
• Correlate alerts with source.ip to identify if the activity originates from unusual or untrusted IP addresses.