Quick note on RunCommand feature on Azure VM

As a SecOps guy you are asked to perform audit on your virtual machines in Azure. The audit would be checking security patch (where Update Management hasn’t been enabled), or just simply a vulnerability verification like Spectre and Meldown.

Run Command feature is a feature you may like to use as it provides you a way to execute a command or a script against Azure VM without asking any PsRemote or SSH session to be established. Moreover, with Run Command feature you can perform remote execution against multiple virtual machines without thinking pretty much about re-setup the connection establishment.

There are some things you may need to know when using Run Command feature.

  • Run Command feature leverages the existing Azure VM Agent to download the script from Azure back-end side. With this in mind, the outbound connectivity must be available over port 443 to Azure public IP address range.
  • Run Command feature has some restrictions which you can find from this article.
  • Run Command feature requires Microsoft.Compute/virtualMachines/runCommand/action role, or Contributor role or higher.
  • Run Command feature triggers VM Agent to download script to C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.0\Downloads if Windows and /var/lib/waagent/run-command/download/ if Linux.
  • Run Command log can be found in C:\WindowsAzure\Logs\Plugins\Microsoft.CPlat.Core.RunCommandWindows if Windows and /var/log/azure/run-command if Linux.

There may be a security concern when going with agent model in which the agent communicates back to outside of the network. This concern normally is brought in a case of restricting database machine in order to avoid data exfiltration over normal port like 80 or 443.

This entry was posted in Security Operation and tagged , . Bookmark the permalink.

1 Response to Quick note on RunCommand feature on Azure VM

  1. Pingback: Guidance for CVE Crypto and RDG vulnerability patching on Azure VM

Leave a Reply

Your email address will not be published.