Validating Microsoft Defender for Resource Manager Alerts

Published Mar 22 2021 05:07 AM 2,468 Views
Microsoft

This document is provided “as is.” MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.  This document does not provide you with any legal rights to any intellectual property in any Microsoft product.  You may copy and use this document for your internal, reference purposes.

 

As announced at Ignite 2021, Microsoft Defender for Resource Manager plan provides threat detection against malicious usage of Azure Resource Management Layer (Portal, Rest, API, PowerShell). To learn more about Azure Defender for ARM, read our official documentation.

You can enable Microsoft Defender for Resource Manager on your subscription via environment settings, select the subscription, change the plan to ON (as shown below) and click Save to commit the change.

 

resourcemanager.jpg

Now that you have this plan set to ON, you can use the steps below to validate this threat detection:

  1. Provision a new VM and keep the default TCP/IP configuration.
  2. Connect to this machine using RDP.
  3. Create a file on this machine called runtime-disable-enabe.ps1 and paste the content below in this file:

 

 

 

Param([switch] $Force)

# Check if PowerShellGet exists
if (Get-Module -ListAvailable -Name PowerShellGet) {
    Write-Host "PowerShellGet Module exists"
} 
else {
    if ($PSBoundParameters.ContainsKey('Force')) {
        Install-Module -Name PowerShellGet -Force
    }
    else {
        Write-Warning -Message ('PowerShellGet Not Found. Please use the -force flag to install PowerShellGet and Azure Powershell')
        Exit
    }
}

# Install Azure Powershell
if ($PSVersionTable.PSEdition -eq 'Desktop' -and (Get-Module -Name AzureRM -ListAvailable)) {
    Write-Warning -Message ('Az module not installed. Having both the AzureRM and ' +
      'Az modules installed at the same time is not supported. Use the -force flag to install the necessary modules.')
    Exit

} elseif($PSBoundParameters.ContainsKey('Force')) {
    Install-Module -Name Az -AllowClobber -Scope CurrentUser

} elseif (!(Get-Module -Name Az.Compute -ListAvailable)) {
    Write-Warning -Message ('Azure Powershell Not Found. Please use the -force flag to install Azure Powershell')
    Exit
}

# Login User
Connect-AzAccount

# Select Subscription
$Subscription = Get-Az subscription | out-gridview -Title "Select a subscription" -PassThru
Select-AzSubscription $Subscription

# Settings to exclude a binary
$SettingsDisable = '{"AntimalwareEnabled" : "true", "Exclusions" : {"Extensions" : "", "Paths" : "", "Processes" : ""},
          "RealtimeProtectionEnabled" : "false", "ScheduledScanSettings" : {"isEnabled": "true", "scanType" : "Quick", "day" : "7", "time" : "100" }}'

# Settings to remove the exclusion
$SettingsEnable = '{"AntimalwareEnabled" : "true", "Exclusions" : {"Extensions" : "", "Paths" : "", "Processes" : ""},
          "RealtimeProtectionEnabled" : "true", "ScheduledScanSettings" : {"isEnabled": "true", "scanType" : "Quick", "day" : "7", "time" : "100" }}'

# Provide VM info
$VMObject = Get-AzVM | out-gridview -Title "Select a VM" -PassThru
$VMName = $VMObject.Name
$Loc = $VMObject.Location
$ResourceGroup = $VMObject.ResourceGroupName

Write-Host "Disable Runtime ..."

# Exclude the binary
Set-AzVMExtension -ResourceGroupName $ResourceGroup -VMName $VMName -Name "IaasAntimalware" -Location $Loc -Publisher "Microsoft.Azure.Security" -Type "IaasAntimalware" -TypeHandlerVersion "1.3" -SettingString $SettingsDisable

Write-Host "Enable Runtime ..."

# Remove the exclusion
Set-AzVMExtension -ResourceGroupName $ResourceGroup -VMName $VMName -Name "IaasAntimalware" -Location $Loc -Publisher "Microsoft.Azure.Security" -Type "IaasAntimalware" -TypeHandlerVersion "1.3" -SettingString $SettingsEnable

 

 

 

 

  1. Save this file
  2. Execute runtime-disable-enabe.ps1

 

After some minutes you should see Microsoft Defender for Resource Manager alert showing up on your dashboard, like the one below:

 

Fig2.JPG

 

Is important to emphasize that these operations (disable AM runtime) are done over built-in capabilities of Azure, in this case VM extensions. Using VM extension one doesn’t need to log-in into the affected VM (no node-level credentials are required!). For a deeper discussion on a use case scenario for this threat detection, read the article Azure LoLBins: Protecting against the dual use of virtual machine extensions.

 

Reviewers

Tal Rosler, Program Manager

Ram Pliskin, Senior Security Research Manager

Script by Johnathan Simon, Security Researcher

Co-Authors
Version history
Last update:
‎Oct 28 2021 12:11 AM
Updated by: