Azure Arc as a backdoor: cloud-driven commands a password reset cannot stop
Azure Arc projects on-prem servers into the cloud control plane and gives them a managed identity. Abused, it is hybrid persistence that survives local credential changes.
Commands are running on your on-prem server with nobody logged in locally. They are coming from the cloud, and a local password reset will not stop them.
How the attack works
An attacker abuses Azure Arc to gain durable control over hybrid servers. They onboard attacker-staged machines or hijack the Connected Machine agent on existing on-prem servers, then push a run-command or CustomScript extension that executes locally as the Arc agent. The agent carries a system-assigned managed identity, so the attacker requests its token and uses it against Azure resources, bridging on-prem and cloud. The Activity Log records the HybridCompute machine connect, the run-command push that runs without a local interactive logon, and the managed-identity token use. This survives local password resets and reboots. In ATT&CK terms this is T1651, Cloud Administration Command, paired with T1098, Account Manipulation.
Why it works
Arc-managed machines are governed from the cloud control plane, not from local login. Onboarding and run-command rights were available too broadly, and the Arc identity held standing Azure roles, so the convenience of cloud management became a persistence path.
How to fix it
Arc is cloud-driven and identity-backed, so a local password reset does nothing. Disconnect or delete the Arc machine resource so cloud commands stop, revoke the Arc system-assigned managed identity’s role assignments, and isolate the on-prem host. A reboot just re-reads the same connection. For the root cause, restrict who can onboard Arc machines and run commands, scope each Arc identity to least privilege, gate Arc management roles behind PIM, and alert on onboarding and run-command operations. Scope the incident by correlating the Arc machine Activity Log, the agent logs, and the Activity Log of every cloud resource the Arc identity touched, because the blast radius spans both planes.
Practice it
We built this as a GraphLattice Range scenario so responders can rehearse cutting Arc-based hybrid persistence at the connection and the identity, not the local host.