Azure VM command run
Description
AlphaSOC detected the execution of a command on an Azure virtual machine using the Run Command feature. Run Command allows execution of scripts inside VMs via the Azure management plane without requiring direct access to the VM. While this feature has legitimate administrative purposes, adversaries with cloud administrative access can abuse it to execute arbitrary code without direct VM access.
Impact
Unauthorized use of Run Command can enable threat actors to execute malicious code, install malware, exfiltrate data, or establish persistence on virtual machines. This technique allows attackers to bypass network-level controls and execute commands remotely through the Azure management plane.
Severity
| Severity | Condition |
|---|---|
Low | Azure VM command run |
Investigation and Remediation
Review Azure Activity logs to identify the
Microsoft.Compute/virtualMachines/runCommand/action event. Examine the
specific command executed, the target virtual machine, and the identity that
initiated the action. Verify whether the activity was authorized.
If unauthorized, investigate the affected VM for signs of compromise, including malware, unauthorized users, or configuration changes. Rotate credentials for the compromised Azure identity and review RBAC assignments to restrict Run Command permissions to only authorized administrators. Consider implementing Azure Policy to restrict or monitor Run Command usage.
Known False Positives
- Authorized administrators using Run Command for legitimate maintenance tasks
- Automated scripts for VM configuration management
- Troubleshooting activities by support teams