Validating Microsoft Defender for Resource Manager Alerts
This document is provided “as is.” MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. |
As announced at Ignite 2021, Microsoft Defender for Resource Manager plan provides threat detection against malicious usage of Azure Resource Management Layer (Portal, Rest, API, PowerShell). To learn more about Azure Defender for ARM, read our official documentation.
You can enable Microsoft Defender for Resource Manager on your subscription via environment settings, select the subscription, change the plan to ON (as shown below) and click Save to commit the change.
Now that you have this plan set to ON, you can use the steps below to validate this threat detection:
- Provision a new VM and keep the default TCP/IP configuration.
- Connect to this machine using RDP.
- Create a file on this machine called runtime-disable-enabe.ps1 and paste the content below in this file:
Param([switch] $Force)
# Check if PowerShellGet exists
if (Get-Module -ListAvailable -Name PowerShellGet) {
Write-Host "PowerShellGet Module exists"
}
else {
if ($PSBoundParameters.ContainsKey('Force')) {
Install-Module -Name PowerShellGet -Force
}
else {
Write-Warning -Message ('PowerShellGet Not Found. Please use the -force flag to install PowerShellGet and Azure Powershell')
Exit
}
}
# Install Azure Powershell
if ($PSVersionTable.PSEdition -eq 'Desktop' -and (Get-Module -Name AzureRM -ListAvailable)) {
Write-Warning -Message ('Az module not installed. Having both the AzureRM and ' +
'Az modules installed at the same time is not supported. Use the -force flag to install the necessary modules.')
Exit
} elseif($PSBoundParameters.ContainsKey('Force')) {
Install-Module -Name Az -AllowClobber -Scope CurrentUser
} elseif (!(Get-Module -Name Az.Compute -ListAvailable)) {
Write-Warning -Message ('Azure Powershell Not Found. Please use the -force flag to install Azure Powershell')
Exit
}
# Login User
Connect-AzAccount
# Select Subscription
$Subscription = Get-Az subscription | out-gridview -Title "Select a subscription" -PassThru
Select-AzSubscription $Subscription
# Settings to exclude a binary
$SettingsDisable = '{"AntimalwareEnabled" : "true", "Exclusions" : {"Extensions" : "", "Paths" : "", "Processes" : ""},
"RealtimeProtectionEnabled" : "false", "ScheduledScanSettings" : {"isEnabled": "true", "scanType" : "Quick", "day" : "7", "time" : "100" }}'
# Settings to remove the exclusion
$SettingsEnable = '{"AntimalwareEnabled" : "true", "Exclusions" : {"Extensions" : "", "Paths" : "", "Processes" : ""},
"RealtimeProtectionEnabled" : "true", "ScheduledScanSettings" : {"isEnabled": "true", "scanType" : "Quick", "day" : "7", "time" : "100" }}'
# Provide VM info
$VMObject = Get-AzVM | out-gridview -Title "Select a VM" -PassThru
$VMName = $VMObject.Name
$Loc = $VMObject.Location
$ResourceGroup = $VMObject.ResourceGroupName
Write-Host "Disable Runtime ..."
# Exclude the binary
Set-AzVMExtension -ResourceGroupName $ResourceGroup -VMName $VMName -Name "IaasAntimalware" -Location $Loc -Publisher "Microsoft.Azure.Security" -Type "IaasAntimalware" -TypeHandlerVersion "1.3" -SettingString $SettingsDisable
Write-Host "Enable Runtime ..."
# Remove the exclusion
Set-AzVMExtension -ResourceGroupName $ResourceGroup -VMName $VMName -Name "IaasAntimalware" -Location $Loc -Publisher "Microsoft.Azure.Security" -Type "IaasAntimalware" -TypeHandlerVersion "1.3" -SettingString $SettingsEnable
- Save this file
- Execute runtime-disable-enabe.ps1
After some minutes you should see Microsoft Defender for Resource Manager alert showing up on your dashboard, like the one below:
Is important to emphasize that these operations (disable AM runtime) are done over built-in capabilities of Azure, in this case VM extensions. Using VM extension one doesn’t need to log-in into the affected VM (no node-level credentials are required!). For a deeper discussion on a use case scenario for this threat detection, read the article Azure LoLBins: Protecting against the dual use of virtual machine extensions.
Reviewers
Tal Rosler, Program Manager
Ram Pliskin, Senior Security Research Manager
Script by Johnathan Simon, Security Researcher