Cloud Threat Landscape
  • Incidents
  • Actors
  • Techniques
  • Defenses
  • Tools
  • Targeted Technologies
  • Posters & Newspapers
  • About
  • RSS
  • STIX
  • Back to wiz.io
Cloud Threat Landscape

Remotely execute commands or scripts on a VM

Tags
ATT&CK Tactic
Execution (TA0002)
Incidents
DarkRadiation campaign
References
https://www.elastic.co/guide/en/security/current/aws-execution-via-system-manager.htmlhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/run-commandhttps://docs.microsoft.com/en-us/azure/virtual-machines/linux/run-commandhttps://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-1/
Last edited
May 19, 2024 9:46 AM
Status
Stub
Defenses
Workload Runtime Protection

In AWS and Azure it is possible to run a command remotely on a VM via API.

in AWS the API is “SendCommand”, which is an AWS Systems Manager feature that allows remote execution of scripts and commands on Amazon EC2 instances and on-premises servers. An attacker could abuse the \"SendCommand\" feature to gain unauthorized access to an AWS environment or to compromise instances by running malicious scripts or commands.

in Azure the API is “microsoft.compute/virtualmachines/runcommand/action”

The run command feature uses the VM agent to run PowerShell scripts within a windows VM or a shell command on a linux VM.

By utilizing the 'RunCommand' feature on a Virtual Machine, an attacker can pass:

  • Windows: PowerShell commands to the VM as SYSTEM.
  • Linux: Shell commands to the VM as root.

Made with đź’™ by Wiz

Last Updated: April 3, 2025