Azure Suspicious VM Scale Set Run Command Execution

Triggers

• A Microsoft Entra Identity is using a highly permissive role, such as an Azure Virtual Machine Contributor or Owner role, to execute Run Commands within a Resource Group that contains a VM Scale Set (VMSS). This is unusual for the identity.
• The execution of the Run Command is occurring outside of regular business hours.
• Multiple instances of suspicious Run Command executions are detected within a short timeframe.

Possible Root Causes

• Unauthorized Access: An attacker has gained access to a Microsoft Entra Identity and is using it to execute Run Commands on VM Scale Sets without permission.
• Misconfigured Permissions or Role Assignments: A Microsoft Entra Identity has excessive permissions, allowing them to execute Run Commands on VM Scale Sets they should not have access to.
• DevOps Automation: A DevOps engineer is using Run Commands to automate a deployment or troubleshoot processes on multiple VMs in the scale set, but due to a misconfigured script or permissions issue, the commands appear suspicious.
• Automated Tasks: A legitimate backup or maintenance task is running on the VM Scale Set.
• System Updates: A patching process is being executed, causing changes in file system permissions or access patterns.
• Administrator Troubleshooting: A legitimate administrator is using Run Commands to resolve an issue, but their credentials are not recognized by the security system.

Business Impact

• Data loss or corruption due to unauthorized access.
• Security breaches due to exploitation of vulnerabilities or abuse of privileges.
• Unplanned changes or downtime for critical services.
• Exploitation of security vulnerabilities.

Steps to Verify

• Review the Resource Group and VM Scale Set permissions to ensure that only authorized users or service principals have access.
• Investigate the identity of the user or service principal that executed the Run Command.
• Check the command�s parameters and actions taken, comparing them with expected or approved activities.
• Analyze Azure Audit Logs to determine the timing and source of the suspicious activity.
• Confirm whether the VM Scale Set is part of a larger Infrastructure as Code (IaC) configuration or automated deployment process.