GraphLattice
← All field notes
azuremanaged identityprivilege escalationfor administrators

Azure Run Command: how a VM contributor becomes subscription owner

A user with Contributor on a VM can run code as the VM and borrow its managed identity. If that identity is over-privileged, it is a path to subscription owner. Here is the fix.

· GraphLattice · 2 min read
Attack flow
1Compromise an Azure identity
2Run Command on a VM
3Execute as the VM identity
4Reach the managed identity
5Pivot across the subscription
Seen in the wildStorm-0501Cloud access brokers

In Azure, control of a virtual machine quietly means control of that machine’s identity. When the identity is over-privileged, a routine Contributor role becomes a path to owning the subscription.

The escalation path

Contributor on a VM includes the right to run commands on it. Run Command executes in the VM’s local context, and any process on an Azure VM can request the VM’s managed identity token from the instance metadata service. So an attacker with Contributor runs a command, pulls the managed identity’s token, and acts as that identity. If the identity holds a powerful role such as User Access Administrator or Owner at the subscription scope, the attacker assigns themselves Owner and the subscription is theirs. The boundary that was crossed is control of a VM becoming the privileges of that VM’s identity. In ATT&CK terms this combines T1651, Cloud Administration Command, with T1098.003.

Why it works

Managed identities attached to workload VMs are routinely granted far more than the workload needs, and Run Command is available to a common role.

How to detect it

In the Azure Activity Log, look for a runCommand action followed shortly by a roleAssignments write, especially Owner or User Access Administrator granted to a newly created principal. Microsoft Defender for Cloud flags suspicious role assignments to new identities.

How to fix it

Right-size every managed identity to least privilege at the narrowest scope, and never grant Owner or User Access Administrator to a workload VM’s identity. Restrict Run Command to break-glass roles using a custom role or Azure Policy. Require just-in-time elevation through Privileged Identity Management for any role-assignment rights, so standing privilege is minimal. Lock Key Vault behind RBAC and a private endpoint. With those in place, a compromised VM yields only its own narrow identity.

Practice it

We built this scenario in GraphLattice Range so administrators see the Run Command escalation and apply the least-privilege and policy controls that stop it.

More field notes

Browse all →

Kudu console to managed-identity token: stopping App Service credential theft

App Service ships an interactive Kudu console. Any Contributor can use it to grab t…

The workflow that grants itself a role

An Azure Logic App runs as a managed identity that often holds standing subscriptio…

The scheduled job that owns your subscription

An Azure Automation runbook runs your code as a managed identity with standing righ…