Cloud Administration Command

Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. ^[1]^[2]

If an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment’s virtual machines. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a Trusted Relationship to execute commands in connected virtual machines.^[3]

ID: T1651

Sub-techniques: No sub-techniques

ⓘ

Tactic: Execution

ⓘ

Platforms: IaaS

Contributors: Adrien Bataille; Anders Vejlby; Caio Silva; Cisco; Jared Wilson; Nader Zaveri; Nichols Jasper; Tamir Yehuda

Version: 2.0

Created: 13 March 2023

Last Modified: 15 October 2024

Version Permalink

Live Version

Procedure Examples

ID	Name	Description
S0677	AADInternals	AADInternals can execute commands on Azure virtual machines using the VM agent.^[4]
G0016	APT29	APT29 has used Azure Run Command and Azure Admin-on-Behalf-of (AOBO) to execute code on virtual machines.^[3]
S1091	Pacu	Pacu can run commands on EC2 instances using AWS Systems Manager Run Command.^[5]

Mitigations

ID	Mitigation	Description
M1026	Privileged Account Management	Limit the number of cloud accounts with permissions to remotely execute commands on virtual machines, and ensure that these are not used for day-to-day operations. In Azure, limit the number of accounts with the roles Azure Virtual Machine Contributer and above, and consider using temporary Just-in-Time (JIT) roles to avoid permanently assigning privileged access to virtual machines.^[6]

Detection

ID Data Source Data Component Detects

ID	Data Source	Data Component	Detects
DS0017	Command	Command Execution	Monitor for suspicious command executions via cloud management services like AWS System Manager or Azure RunCommand. In Azure, usage of Azure RunCommand can be identified via the Azure Activity Logs, and additional details on the result of executed jobs are available in the `C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows` directory on Windows virtual machines.^[6] Analytic 1 - Abnormal or unauthorized execution of commands/scripts on VMs `index=cloud_logs sourcetype=aws:ssm OR sourcetype=azure:activity\| search action IN ("RunCommand", "StartSSMCommand", "ExecuteCommand")`
DS0009	Process	Process Creation	Monitor for process creation events in virtual machines that are associated with cloud VM agents, such as the WindowsAzureGuestAgent.exe process on Azure virtual machines. ^[6] Analytic 1 - Unexpected process creation `sourcetype=process_creation\| search process_name IN ("WindowsAzureGuestAgent.exe", "ssm-agent.exe")\| where process_name IN ("WindowsAzureGuestAgent.exe", "ssm-agent.exe") AND process_path != "/usr/local/bin/"`
DS0012	Script	Script Execution	Monitor the execution of scripts within virtual machines, especially those initiated via cloud management services like Azure RunCommand. In Azure, usage of Azure RunCommand can be identified via the Azure Activity Logs, and additional details on the result of executed jobs are available in the `C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows` directory on Windows virtual machines.^[6] Analytic 1 - Unauthorized script execution `sourcetype=azure:activity\| search script_name IN ("script.sh", "run.ps1", "start.cmd")\| where script_name IN ("script.sh", "run.ps1", "start.cmd") AND user NOT IN ("known_admins")`

DS0017

Command

Command Execution

Monitor for suspicious command executions via cloud management services like AWS System Manager or Azure RunCommand. In Azure, usage of Azure RunCommand can be identified via the Azure Activity Logs, and additional details on the result of executed jobs are available in the C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows directory on Windows virtual machines.^[6]

Analytic 1 - Abnormal or unauthorized execution of commands/scripts on VMs

index=cloud_logs sourcetype=aws:ssm OR sourcetype=azure:activity| search action IN ("RunCommand", "StartSSMCommand", "ExecuteCommand")

DS0009

Process

Process Creation

Monitor for process creation events in virtual machines that are associated with cloud VM agents, such as the WindowsAzureGuestAgent.exe process on Azure virtual machines. ^[6]

Analytic 1 - Unexpected process creation

sourcetype=process_creation| search process_name IN ("WindowsAzureGuestAgent.exe", "ssm-agent.exe")| where process_name IN ("WindowsAzureGuestAgent.exe", "ssm-agent.exe") AND process_path != "/usr/local/bin/"

DS0012

Script

Script Execution

Monitor the execution of scripts within virtual machines, especially those initiated via cloud management services like Azure RunCommand. In Azure, usage of Azure RunCommand can be identified via the Azure Activity Logs, and additional details on the result of executed jobs are available in the C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows directory on Windows virtual machines.^[6]

Analytic 1 - Unauthorized script execution

sourcetype=azure:activity| search script_name IN ("script.sh", "run.ps1", "start.cmd")| where script_name IN ("script.sh", "run.ps1", "start.cmd") AND user NOT IN ("known_admins")

Cloud Administration Command

Procedure Examples

Mitigations

Detection

References