In my previous post I proved how dangerous extensions for Azure VM can be. Now it’s time for another interesting feature - Run Commands!
Other series posts
This post is part of the Gain control over any Azure VM series.
The following entries are included in this series:
- Introduction to VM Extensions
- [This post] Introduction to Run Commands
- Run Commands and VM Extensions demo
- Run Commands and VM Extensions audit
- Securing against Run Commands and VM Extensions
Pssst: Some of the entries are still in progress, but as soon as I finish them, they will be linked above.
What are Run Commands?
Run Commands is nothing more than the ability to run PowerShell or Bash scripts, if you’re a penguin (Linux) user 🐧 using Azure VM Agent.
Sound familiar? If you read my previous post, we can achieve exactly the same results using Custom Script Extension (CSE).
Run Commands vs Custom Script Extension (CSE)
What are the main differences between Run Commands and Custom Script Extension (CSE) and which one should you use?
- Run Commands are newer and even have their successor - Managed Run Commands.
- Custom Script Extension doesn’t support multiple instances - you can only install/run one extension/script at a time.
- Managed Run Commands allow you to run multiple scripts/instances simultaneously.
- Managed/Run Commands are configured by other RBAC privileges, so if your administrator has revoked your ability to install VM extensions, there’s still a chance they haven’t revoked your Run Commands rights.
Refer to the Microsoft documentation for a complete list of new features for Managed Run Commands.
You can choose either method, but it’s better to use Run Commands rather than making your life harder 😀
Built-in Run Commands
The Azure portal contains several built-in Run Commands that cannot be edited.
For those who want to save their internet data, I have also listed them in the table below:
| Name | Description |
|---|---|
RunPowerShellScript | Executes a PowerShell script |
DisableNLA | Disable Network Level Authentication |
DisableWindowsUpdate | Disable Windows Update Automatic Updates |
EnableAdminAccount | Enable administrator account |
EnableEMS | Enable EMS |
EnableRemotePS | Enable remote PowerShell |
EnableWindowsUpdate | Enable Windows Update Automatic Updates |
IPConfig | List IP configuration |
RDPSettings | Verify RDP Listener Settings |
ResetRDPCert | Restore RDP Authentication mode to defaults |
SetRDPPort | Set Remote Desktop port |
This time, we can only enable the built-in administrator account. We cannot change its password. To fix this limitation, we will need to write our own script 😉
Use Run Commands to change the local administrator password
To change the local administrator account password, we will utilize the RunPowerShellScript run command along with a modified version of the EnableAdminAccount option.
The script can be downloaded from my GitHub repository.
Instruction
- Navigate to your virtual machine.
- Choose Run Command > RunPowerShellScript.
- Paste the contents of the script body from GitHub - ResetAdminAccount.ps1.
- Enter the new password for the admin account in the second line of the script.
- Click the Run button.
- Done, you are now an administrator!
Picture Guide
BTW: I know the numbering of the steps doesn’t match, but who checks that 🙃
Quick verification
If the script returns no errors, you should see the built-in administrator account name in the output.
Log in to your Virtual Machine via RDP or Bastion and see if our trick worked - in my case it did 🙂
How to block Run Commands?
Similar to Azure VM Extensions, we just need to edit the Azure roles used by our administrators and revoke their Run Commands rights.
The rights to revoke are:
| |
…but just to be safe, I removed all rights to Run Commands including reader permissions.
Detailed instructions on creating a new Custom Role can be found in my previous post
Ready-made Custom Role templates are available on my GitHub:
- Azure Portal version: CustomPortal-Virtual Machine Contributor (without Run Commands).json
- Azure PowerShell version: CustomPS-Virtual Machine Contributor (without Run Commands).json
Roles can be created using either Azure Portal (GUI) or Azure PowerShell (CLI).
Let’s verify the new roles
Wait a few minutes and re-run any script using Run Commands. If successful, you should be able to see:
Listing Run Commands error
Error while executing Run Commands
As you can see, nothing works - good job, you ruined all the fun for the admins 🛑
Conclusion
Another day brings new proble… challenges! Congratulations on cracking another one today. As a reward, I’ve included a meme for you. Enjoy!
See you in the next post!