Tags
ATT&CK Tactic
Execution (TA0002)
Incidents
DarkRadiation campaign
References
https://www.elastic.co/guide/en/security/current/aws-execution-via-system-manager.htmlhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/run-commandhttps://docs.microsoft.com/en-us/azure/virtual-machines/linux/run-commandhttps://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-1/
Last edited
May 19, 2024 9:46 AM
Status
Stub
Defenses
Workload Runtime Protection
In AWS and Azure it is possible to run a command remotely on a VM via API.
in AWS the API is “SendCommand”, which is an AWS Systems Manager feature that allows remote execution of scripts and commands on Amazon EC2 instances and on-premises servers. An attacker could abuse the \"SendCommand\" feature to gain unauthorized access to an AWS environment or to compromise instances by running malicious scripts or commands.
in Azure the API is “microsoft.compute/virtualmachines/runcommand/action”
The run command feature uses the VM agent to run PowerShell scripts within a windows VM or a shell command on a linux VM.
By utilizing the 'RunCommand' feature on a Virtual Machine, an attacker can pass:
- Windows: PowerShell commands to the VM as SYSTEM.
- Linux: Shell commands to the VM as root.