Azure RM Tool VS Code may trigger ASC alert

If you work with Azure ARM template on VS Code you have probably know about this tool called Azure Resource Manager (ARM) tool . For those who use Linux to work with VS Code, the tool may shift all its compiled DLL to your virtual machines and sometime a DLL is called to execute.

In this article, let’s see why Azure Security Center creates an alert that is related to this ARM tool.

As explained earlier if you use ARM tool on VS Code for Linux and your virtual machine is connected to ASC you may encounter the alert named “Executable found running from a suspicious location

To reproduce, there are some pre-requisites:

Once ARM tool extension is installed on your Linux virtual machine, the working directory path is the user home diretory

/home/{user_profile}/.vscode/extensions/msazurermtools.azurerm-vscode-tools-0.8.2

ARM Tool DLL are found in Linux

If you install on Windows, the rule would be the same

C:\Users\{user_profile}\.vscode\extensions\msazurermtools.azurerm-vscode-tools-0.8.3

When working on Linux box, the language server service may call Microsoft.ArmLanguageServer.dll with –help as an input argument.

../Microsoft.ArmLanguageServer.dll --help

This execution may trigger Azure Security Center because DLL is not a normal executable file run on Linux.  What does the command above do? You could decompile the Microsoft.ArmLanguageServer.dll  and locate to Program()  to see

if (Program.IsOption(args[i], "--help", "-h"))
{
    Console.WriteLine("ARM Template Language Server");
    Console.WriteLine("Version: " + typeof (Program).Assembly.GetCustomAttribute<AssemblyInformationalVersionAttribute>().InformationalVersion);
    Console.WriteLine();
    Console.WriteLine("Command-line arguments:");
    Console.WriteLine("  --logLevel (-l)           Log level (default = Information)");
    Console.WriteLine("      Allowed values        Trace, Debug, Information, Warning, Error, Critical, None");
    Console.WriteLine("  --wait-for-debugger (-w)  Wait for a debugger to be attached and then break during initialization");
    options.ShowHelpAndExit = true;
    return new ValueTuple<List<string>, LogLevel, LanguageServerOptions>(warnings, logLevel, options);
}

If you ever see ASC alert that is assocaited to ARM tool on Linux you should mark as False Positive and ignore this. I’m not sure if shifting DLLs file to Linux is Microsoft mistake. They look like non-functional files thought.

This entry was posted in Monitoring & Detection and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *