Azure Suspicious VM Scale Set Run Command Execution

Azure Suspicious VM Scale Set Run Command Execution

Detection overview

Triggers

  • A Microsoft Entra Identity is using a highly permissive role, such as an Azure Virtual Machine Contributor or Owner role, to execute Run Commands within a Resource Group that contains a VM Scale Set (VMSS). This is unusual for the identity.
  • The execution of the Run Command is occurring outside of regular business hours.
  • Multiple instances of suspicious Run Command executions are detected within a short timeframe.

Possible Root Causes

  • Unauthorized Access: An attacker has gained access to a Microsoft Entra Identity and is using it to execute Run Commands on VM Scale Sets without permission.
  • Misconfigured Permissions or Role Assignments: A Microsoft Entra Identity has excessive permissions, allowing them to execute Run Commands on VM Scale Sets they should not have access to.
  • DevOps Automation: A DevOps engineer is using Run Commands to automate a deployment or troubleshoot processes on multiple VMs in the scale set, but due to a misconfigured script or permissions issue, the commands appear suspicious.
  • Automated Tasks: A legitimate backup or maintenance task is running on the VM Scale Set.
  • System Updates: A patching process is being executed, causing changes in file system permissions or access patterns.
  • Administrator Troubleshooting: A legitimate administrator is using Run Commands to resolve an issue, but their credentials are not recognized by the security system.

Business Impact

  • Data loss or corruption due to unauthorized access.
  • Security breaches due to exploitation of vulnerabilities or abuse of privileges.
  • Unplanned changes or downtime for critical services.
  • Exploitation of security vulnerabilities.

Steps to Verify

  • Review the Resource Group and VM Scale Set permissions to ensure that only authorized users or service principals have access.
  • Investigate the identity of the user or service principal that executed the Run Command.
  • Check the command�s parameters and actions taken, comparing them with expected or approved activities.
  • Analyze Azure Audit Logs to determine the timing and source of the suspicious activity.
  • Confirm whether the VM Scale Set is part of a larger Infrastructure as Code (IaC) configuration or automated deployment process.
Azure Suspicious VM Scale Set Run Command Execution

Possible root causes

Malicious Detection

Benign Detection

Azure Suspicious VM Scale Set Run Command Execution

Example scenarios

Azure Suspicious VM Scale Set Run Command Execution

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Suspicious VM Scale Set Run Command Execution

Steps to investigate

Azure Suspicious VM Scale Set Run Command Execution

MITRE ATT&CK techniques covered

Azure Suspicious VM Scale Set Run Command Execution

Related detections

No items found.

FAQs