Microsoft.Compute/virtualMachines/runCommand/action
Event
Executes a script or command on an Azure VM without requiring network-based access such as SSH or RDP.
Security Context
- Remote command execution services provide adversaries with direct OS-level access to managed instances, often without requiring SSH or RDP.
- Using remote services for lateral movement allows adversaries to pivot between systems while leveraging legitimate access mechanisms.
Log Source
Azure Activity Log
Sample Event
MITRE ATT&CK Mapping
Tactics: Execution Lateral Movement
Techniques:
- T1651 — Cloud Administration Command — Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents.
- T1059 — Command and Scripting Interpreter — Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms.
- T1021 — Remote Services — Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.