{
	"id": "4de2d921-d02c-421a-a54a-f72a0b7569aa",
	"created_at": "2026-04-06T00:21:55.524859Z",
	"updated_at": "2026-04-10T03:20:44.719555Z",
	"deleted_at": null,
	"sha1_hash": "254442e526a0506455c3e62df7baac7cdcd0a0a2",
	"title": "Azure LoLBins: Protecting against the dual use of virtual machine extensions | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 454273,
	"plain_text": "Azure LoLBins: Protecting against the dual use of virtual machine\r\nextensions | Microsoft Security Blog\r\nBy Ram Pliskin\r\nPublished: 2021-03-09 · Archived: 2026-04-05 14:39:51 UTC\r\nAzure Defender for Resource Manager offers unique protection by automatically monitoring the resource\r\nmanagement operations in your organization, whether they’re performed through the Azure portal, Azure REST\r\nAPIs, Azure CLI, or other Azure programmatic clients. In this blog, we will look into the threats that are caused\r\nby “Living off the land Binaries” (LoLBins).\r\nThe term “Living off the land,” or LoL in short, is used to describe attackers leveraging built-in utilities to carry\r\nout attacks. LoLBins usually refer to pre-installed Windows or Linux binary tools that are normally used for\r\nlegitimate purposes, but on compromised resources, can be leveraged by attackers. This tactic challenges\r\ndefenders aiming to distinguish between the dual uses of these tools.\r\nThe usage of LoLBins is frequently seen, mostly combined with fileless attacks, where attacker payloads\r\nsurreptitiously persist within the memory of compromised processes and perform a wide range of malicious\r\nactivities. Together with the use of legitimate LoLBins, attackers’ activities are more likely to remain undetected.\r\nAttackers are increasingly employing stealthier methods to avoid detection. Evidence for a variety of campaigns\r\nhas been witnessed. Please find a detailed overview of how such an attack unfolds, along with recommendations\r\non how to detect malicious LoLBins’ activities on Windows.\r\nAzure LoLBins\r\nThe concept of LoLBins is not limited to traditional operation systems. In this post, we explore different types of\r\nAzure Compute virtual machine extensions, which are small applications that provide post-deployment\r\nconfiguration and automation tasks on Azure Virtual Machines. For example, if a virtual machine requires\r\nsoftware installation, anti-virus protection, or to run a script inside of it, a virtual machine (VM) extension can be\r\nused.\r\nCustom Script Extension downloads and executes scripts on Azure Virtual Machines, Anti-Malware extension for\r\nWindows warps different configuration types and applies them into Windows Defender, and VMAccess Extension\r\nmanages administrative users, SSH keys and enables recovery features such as resetting the administrative\r\npassword of a virtual machine (VM).\r\nAll these extensions serve thousands of administrators coming to orchestrate their Azure fleet. But in cases where\r\nan attacker assumes certain roles within a subscription, these Azure built-in capabilities will come in handy\r\nbypassing any network defense lines. Therefore, we named them Azure LoLBins.\r\nHow does it work?\r\nhttps://www.microsoft.com/security/blog/2021/03/09/azure-lolbins-protecting-against-the-dual-use-of-virtual-machine-extensions/\r\nPage 1 of 5\n\nEvery image on Azure Marketplace contains an Azure guest agent implanted into it (VM Agent). The guest agent\r\nis a secure, lightweight process that manages VM interaction with the Azure Fabric Controller. The VM Agent has\r\na primary role in enabling and executing Azure Virtual Machine extensions. Without the Azure VM Agent, VM\r\nextensions cannot be run.\r\nThe Guest Agent is responsible for managing VM extension operations such as installing, reporting status,\r\nupdating individual extensions, and removing them. Extension packages are downloaded from the Azure Storage\r\nextension repository by the guest agent through communication with Azure fabric (over channel to\r\n168.63.129.16).\r\nTo perform its tasks, the guest agent runs a Local System. Consequently, payloads of extensions, such as Custom\r\nScript Extension and Run Command, run on Azure Virtual Machines with extensive privileges on the local\r\ncomputer.\r\nImpact\r\nIn this section, we will examine several behaviors we recently witnessed that demonstrate the exceptionality and\r\npotential strength of the VM extensions, making the specific Azure IAM roles, containing the rights to call them a\r\nlucrative target for attackers.\r\nCase 1: Custom Script Extension\r\nCustom Script Extension downloads and executes scripts on Azure Virtual Machines. This extension is useful for\r\npost-deployment configuration, software installation, or any other configuration or management tasks. Scripts can\r\nbe downloaded from Azure Storage or GitHub, or provided to the Azure portal at extension run time. The Custom\r\nScript Extension can be run using the Azure CLI, PowerShell, Azure portal, or the Azure Virtual Machine REST\r\nAPI.\r\nUsage of Custom Script Extension was seen spanning across different customers to fetch an executable from the\r\nsame GitHub repository. We followed the traces to GitHub, finding the repository in question being publicly\r\naccessible allowed us to confirm the suspicion. The code intention within the executed payload (hack1.sh, see\r\nsnippet below) is to mine cryptocurrency.\r\nThis behavior was observed across multiple customers from different countries within a noticeably short\r\ntimeframe, together with the GitHub repository being inactive increased our suspicion this activity should not be\r\nhttps://www.microsoft.com/security/blog/2021/03/09/azure-lolbins-protecting-against-the-dual-use-of-virtual-machine-extensions/\r\nPage 2 of 5\n\nassociated with normal pen-test, red-team, or intended activity.\r\nCase 2: VMAccess Extension\r\nVMAccess Extension can create new administrator accounts, reset the password of an existing administrator\r\naccount, reset the built-in administrator account and or reset the Remote Desktop service Configuration.\r\nMoreover, for Linux VMs, the extension can reset SSH public keys. Furthermore, similarly to other extensions,\r\nthe VMAccess Extension can be executed through the Azure portal, Azure CLI, Powershell, or the Azure Virtual\r\nMachine REST API.\r\nVM Access is extremely useful when managing your VMs. As an example, for Linux servers, an alternative would\r\nbe to connect to the VM and execute the equivalent commands manually. Hence, it is one of the most accessible\r\nextensions due to its simplified user interface (UI) which you can access from the Azure Portal.\r\nThere is no doubt that the VMAccess Extension is a handy way for an attacker to gain initial access to VMs with\r\nelevated privileges. Such notorious usages of the extension may sometimes be difficult to notice. As an example,\r\nleveraging VM Access to create a common service user or modifying an existing one.\r\nCase 3: Antimalware Extension\r\nMicrosoft Antimalware Extension for Azure is a free real-time protection capability that helps identify and remove\r\nviruses, spyware, and other malicious software, with configurable alerts when known malicious or unwanted\r\nsoftware attempts to install itself or run on your Azure systems. Microsoft Antimalware for Azure is a single-agent\r\nsolution designed to run in the background without human intervention.\r\nThe Microsoft Antimalware for Azure solution includes the Microsoft Antimalware Client and Service, and when\r\nused in Windows environment with Windows Defender enabled, the extension will apply any optional\r\nconfiguration policies to be used by Windows Defender, the extension will not deploy any additional antimalware\r\nservice.\r\nWhile experimenting with Microsoft Defender for Endpoint alerts for Windows and usage of the Anti-Malware\r\nextension, we noticed a correlation between alerts fired on the node followed by API calls to Azure Resource\r\nhttps://www.microsoft.com/security/blog/2021/03/09/azure-lolbins-protecting-against-the-dual-use-of-virtual-machine-extensions/\r\nPage 3 of 5\n\nManager. This orchestrates VM extensions, with configurations to the Anti-Malware extension that excluded the\r\nsame alert-triggered payloads from being scanned in the future.\r\nUsing the Anti-Malware extension, attackers can potentially also disable the real-time protection before loading\r\nsuspectable tools into the node or exclude specific files and directories for going unnoticed while conducting their\r\nmalicious activity. Enjoying the benefit that Azure Resource Manager logs was rarely crossed in correlation to in-node telemetry.\r\nLearn more\r\nMicrosoft recommends you implement detection and mitigation strategies to minimize exposure to new threats the\r\nCloud brings. Azure Defender goes deep into dissecting attack techniques in order to define and build a depth\r\nprotection plan.\r\nDetection\r\nAzure Defender has expanded its threat detection capabilities and recently introduced Azure Defender for\r\nResource Manager, a new coverage for Azure deployment and management service. Every request to the Azure\r\nResource Manager Endpoint on management.azure.com is logged and analyzed to reveal malicious intentions and\r\nthreats.\r\nAzure Defender for Resource Manager monitors all resource management operations performed in your\r\norganization performed through the Azure portal, Azure REST APIs, Azure CLI, or other Azure programmatic\r\nclients. Azure Defender runs advanced security analytics to detect threats and alert you when suspicious activity\r\noccurs. For a list of the Azure Defender for Resource Manager alerts, see the reference table of alerts.\r\nMitigation\r\nLeast privilege principle is a fundamental concept in Cloud environments. Ensuring that minimum access\r\nnecessary to perform a legitimate operation would be granted to all identity types (human or non-human). A least\r\nprivilege model for the cloud relies on the ability to continuously adjust access controls. We recommend\r\nhttps://www.microsoft.com/security/blog/2021/03/09/azure-lolbins-protecting-against-the-dual-use-of-virtual-machine-extensions/\r\nPage 4 of 5\n\nmonitoring all access events and establish a decision-making framework that distinguishes between legitimate and\r\nexcessive permissions.\r\nGet started for free today\r\nProtect your entire Azure environment with a few clicks and enable Azure Defender for Resource Manager. This\r\noffer is free during the preview period. Turn Azure Defender on now.\r\nTo learn more about Microsoft Security solutions and our Integrated Threat protection solution visit our website.\r\nBookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at\r\n@MSFTSecurity for the latest news and updates on cybersecurity.\r\nSource: https://www.microsoft.com/security/blog/2021/03/09/azure-lolbins-protecting-against-the-dual-use-of-virtual-machine-extensions/\r\nhttps://www.microsoft.com/security/blog/2021/03/09/azure-lolbins-protecting-against-the-dual-use-of-virtual-machine-extensions/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.microsoft.com/security/blog/2021/03/09/azure-lolbins-protecting-against-the-dual-use-of-virtual-machine-extensions/"
	],
	"report_names": [
		"azure-lolbins-protecting-against-the-dual-use-of-virtual-machine-extensions"
	],
	"threat_actors": [],
	"ts_created_at": 1775434915,
	"ts_updated_at": 1775791244,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/254442e526a0506455c3e62df7baac7cdcd0a0a2.pdf",
		"text": "https://archive.orkl.eu/254442e526a0506455c3e62df7baac7cdcd0a0a2.txt",
		"img": "https://archive.orkl.eu/254442e526a0506455c3e62df7baac7cdcd0a0a2.jpg"
	}
}