1. Home
  2. Techniques
  3. Enterprise
  4. Cloud Administration Command

Cloud Administration Command

Adversaries may abuse cloud management services to execute commands within virtual machines or hybrid-joined devices. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. Similarly, in Azure AD environments, Microsoft Endpoint Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to the Azure AD.[1][2][3]

If an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment’s virtual machines or on-premises hybrid-joined devices. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a Trusted Relationship to execute commands in connected virtual machines.[4]

ID: T1651
Sub-techniques:  No sub-techniques
Tactic: Execution
Platforms: Azure AD, IaaS
Contributors: Adrien Bataille; Anders Vejlby; Caio Silva; Cisco; Jared Wilson; Nader Zaveri; Nichols Jasper
Version: 1.0
Created: 13 March 2023
Last Modified: 14 April 2023
Version Permalink

Procedure Examples

ID Name Description
S0677 AADInternals

AADInternals can execute commands on Azure virtual machines using the VM agent.[5]
G0016 APT29

APT29 has used Azure Run Command and Azure Admin-on-Behalf-of (AOBO) to execute code on virtual machines.[4]
S1091 Pacu

Pacu can run commands on EC2 instances using AWS Systems Manager Run Command.[6]

Mitigations

ID Mitigation Description
M1026 Privileged Account Management

Limit the number of cloud accounts with permissions to remotely execute commands on virtual machines, and ensure that these are not used for day-to-day operations. In Azure, limit the number of accounts with the roles Azure Virtual Machine Contributer and above, and consider using temporary Just-in-Time (JIT) roles to avoid permanently assigning privileged access to virtual machines.[7] In Azure AD, limit the number of Global and Intune administrators to only those required. In AWS, limit users with permission to execute the ssm:SendCommand action, and use tags to restrict the number of machines those users can execute commands on.[8]

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor commands and scripts executed on virtual machines. In Azure, usage of Azure RunCommand can be identified via the Azure Activity Logs, and additional details on the result of executed jobs are available in the C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows directory on Windows virtual machines.[7]
DS0009 Process Process Creation

Monitor virtual machines for the creation of processes associated with cloud virtual machine agents. In Windows-based Azure machines, monitor for the WindowsAzureGuestAgent.exe process.[7]
DS0012 Script Script Execution

Monitor commands and scripts executed on virtual machines. In Azure, usage of Azure RunCommand can be identified via the Azure Activity Logs, and additional details on the result of executed jobs are available in the C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows directory on Windows virtual machines.[7]

References

  1. AWS. (n.d.). AWS Systems Manager Run Command. Retrieved March 13, 2023.
  2. Microsoft. (2023, March 10). Run scripts in your VM by using Run Command. Retrieved March 13, 2023.
  3. Andy Robbins. (2020, August 17). Death from Above: Lateral Movement from Azure to On-Prem AD. Retrieved March 13, 2023.
  4. Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.
  1. Dr. Nestori Syynimaa. (2020, June 4). Getting root access to Azure VMs as a Azure AD Global Administrator. Retrieved March 13, 2023.
  2. Rhino Security Labs. (2019, August 22). Pacu. Retrieved October 17, 2019.
  3. Adrien Bataille, Anders Vejlby, Jared Scott Wilson, and Nader Zaveri. (2021, December 14). Azure Run Command for Dummies. Retrieved March 13, 2023.
  4. AWS. (n.d.). Setting up Run Command. Retrieved March 13, 2023.