Azure Defender for Resource Manager offers unique protection by automatically monitoring the resource management operations in your organization, whether they’re performed through the Azure portal, Azure REST APIs, Azure CLI, or other Azure programmatic patrons. In this blog, we will look into the threats that are caused by “Living off the ground Binaries”( LoLBins ).

The term “Living off the ground, ” or LoL in short, is used to describe attackers leveraging built-in utilities to carry out attacks. LoLBins usually refer to pre-installed Windows or Linux binary tools that are normally used for legitimate purposes, but on compromised resources, is likely to be leveraged by attackers. This tactic challenges defenders aiming to distinguish between the dual avail ourselves of these tools.

The usage of LoLBins is frequently seen, mostly combined with fileless assaults, where attacker warheads surreptitiously persist within the memory of compromised processes and perform a wide range of malicious activities. Together with the use of legitimate LoLBins, attackers’ activities are more likely to remain undetected.

Attackers are increasingly applying stealthier methods to avoid detection. Proof for various categories of campaigns has been witnessed. Please find a detailed overview of how such an attack unfolds, along with recommendations on how to see malicious LoLBins’ activities on Windows.

Azure LoLBins

The concept of LoLBins is not limited to traditional functioning systems. In this post, we explore different types of Azure Compute virtual machine expansions, which are small applications that provide post-deployment configuration and automation chores on Azure Virtual Machines. For example, if a virtual machine involves software installation, anti-virus protection, or to run a script inside of it, a virtual machine( VM) expansion can be used.

Custom Script Extension downloads and executes scripts on Azure Virtual Machines, Anti-Malware extension for Windows warps different configuration characters and applies them into Windows Defender, and VMAccess Extension manages administrative customers, SSH keys and enables recovery features such as resetting the administrative password of a virtual machine( VM ).

All these expansions serve thousands of administrators coming to orchestrate their Azure fleet. But in cases where an attacker accepts certain roles within a subscription, these Azure built-in abilities will come in handy bypassing any network defense lines. Therefore, we named them Azure LoLBins.

How does it operate?

Every image on Azure Marketplace contains an Azure guest agent implanted into it( VM Agent ). The guest agent is a secure, lightweight process that oversees VM interaction with the Azure Fabric Controller. The VM Agent has a primary role in enabling and executing Azure Virtual Machine extensions. Without the Azure VM Agent, VM extensions cannot be run.

The Guest Agent is responsible for managing VM extension procedures such as installing, reporting status, updating individual extensions, and removing them. Extension packages are downloaded from the Azure Storage extension repository by the guest agent through communication with Azure fabric( over channel to ).

To perform its tasks, the guest agent runs a Local System. Consequently, warheads of expansions, such as Custom Script Extension and Run Command, run on Azure Virtual Machines with extensive privileges on the local computer.


In this section, we will examine several behaviours we recently witnessed that demonstrate the exceptionality and potential strength of the VM expansions, constructing the specific Azure IAM roles, containing the rights to call them a lucrative target for attackers.

Occurrence 1: Custom Script Extension

Custom Script Extension downloads and executes scripts on Azure Virtual Machines. This extension is useful for post-deployment configuration, software installation, or any other configuration or management tasks. Scripts is likely to be downloaded from Azure Storage or GitHub, or supplied to the Azure portal at expansion operated period. The Custom Script Extension can be run applying the Azure CLI, PowerShell, Azure portal, or the Azure Virtual Machine REST API.

Usage of Custom Script Extension was realized spanning across different customers to fetch an executable from the same GitHub repository. We followed the traces to GitHub, finding the repository in question being publicly accessible allowed us to confirm the suspicion. The code purpose within the executed payload( hack1. sh, ascertain snippet below) is to mine cryptocurrency.

Example showing Case 1: Custom Script Extension

This behavior was observed across multiple clients from different countries within a noticeably short timeframe, together with the GitHub repository being inactive increased our suspicion project activities should not be associated with normal pen-test, red-team, or purposed activity.

Suit 2: VMAccess Expansion

VMAccess Extension can create new administrator accounts, reset the password of an existing administrator account, reset the built-in administrator account and or reset the Remote Desktop service Configuration. Moreover, for Linux VMs, the expansion can reset SSH public keys. Furthermore, similarly to other expansions, the VMAccess Extension can be executed through the Azure portal, Azure CLI, Powershell, or the Azure Virtual Machine REST API.

VM Access is extremely useful when overseeing your VMs. As an example, for Linux servers, an alternative would be to connect to the VM and execute the equivalent commands manually. Hence, it is one of the most accessible extensions due to its simplified user interface( UI) which you can access from the Azure Portal.

There is no doubt that the VMAccess Extension is a handy way for an attacker to gain initial access to VMs with raised privileges. Such notorious usages of the extension may sometimes be difficult to notice. As an example, leveraging VM Access to create a common service user or modifying an existing one.

Example showing Case 2: VMAccess Extension

Case 3: Antimalware Expansion

Microsoft Antimalware Extension for Azure is a free real-time protection capability that helps identify and remove viruses, spyware, and other malicious software, with configurable alertings when known malicious or unwanted software attempts to install itself or run on your Azure systems. Microsoft Antimalware for Azure is a single-agent solution designed to run in the background without human intervention.

The Microsoft Antimalware for Azure solution includes the Microsoft Antimalware Client and Service, and when used in Windows environment with Windows Defender enabled, the extension will apply any optional configuration policies to be used by Windows Defender, the expansion will not deploy any additional antimalware service.

While experimenting with Microsoft Defender for Endpoint alertings for Windows and usage of the Anti-Malware extension, we noticed a correlation between alerts fired on the node followed by API calls to Azure Resource Manager. This orchestrates VM extensions, with configurations to the Anti-Malware extension that excluded the same alert-triggered payloads from being scanned in the future.

Using the Anti-Malware extension, attackers can potentially likewise disable the real-time protection before loading suspectable tools into the node or exclude specific files and directories for running unnoticed while conducting their malicious activity. Enjoying the benefit that Azure Resource Manager logs was rarely crossed in correlation to in-node telemetry.

Example showing Case 3: Antimalware Extension

Learn more

Microsoft recommends you implement detection and mitigation strategies to minimize exposure to new threats the Cloud brings. Azure Defender runs deep into dissect strike techniques in order to define and build a depth protection plan.


Azure Defender has expanded its threat detecting capabilities and recently introduced Azure Defender for Resource Manager, a new coverage for Azure deployment and management service. Every request to the Azure Resource Manager Endpoint on is logged and analyzed to reveal malicious purposes and threats.

Azure Defender for Resource Manager monitors all resource management operations performed in your organization performed through the Azure portal, Azure REST APIs, Azure CLI, or other Azure programmatic clients. Azure Defender operates advanced security analytics to see threats and alarm you when suspicious activity pass. For a listing of the Azure Defender for Resource Manager alerts, realise the reference table of alarms.


Least privilege principle is a fundamental concept in Cloud environments. Ensuring that minimum access necessary to perform a legitimate functioning would be granted to all identity forms( human or non-human ). A least privilege model for the cloud relies on the ability to continuously adjust access controls. We recommend monitoring all access events and establish a decision-making framework that distinguishes between legitimate and excess permissions.

Get started for free today

Protect your entire Azure environment with a few cases clicks and enable Azure Defender for Resource Manager. This offer is free during the preview period. Turn Azure Defender on now .

To learn more about Microsoft Security answers and our Integrated Threat protection solution visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Likewise, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Azure LoLBins: Protecting against the dual apply of virtual machine extensions seemed first on Microsoft Security .

Read more: