Is Azure VMInsight capable of providing some security for your Azure Resources?
VM insights provides a quick and easy method for getting started monitoring the client workloads on your virtual machines and virtual machine scale sets. It displays an inventory of your existing VMs and provides a guided experience to enable base monitoring for them. It also monitors the performance of your virtual machines and virtual machine scale sets by collecting data on their running processes and dependencies on other resources.
VM insights supports Windows and Linux operating systems on:
- Azure virtual machines.
- Azure virtual machine scale sets.
- Hybrid virtual machines connected with Azure Arc.
- On-premises virtual machines.
- Virtual machines hosted in another cloud environment.
VM insights provides a set of predefined workbooks that allow you to view trending of collected performance data over time. You can view this data in a single VM from the virtual machine directly, or you can use Azure Monitor to deliver an aggregated view of multiple VMs.
From <https://learn.microsoft.com/en-us/azure/azure-monitor/vm/vminsights-overview>
First Step:
Enable on an Azure VM
Note: VM has to be running
So the VMInsight deployment succeeded, lets add it to a dashboard for easy review
To access the Insights, we go to the VM resource itself and click on “Insights:
I check out the Monitoring Configuration
Next step we need to run some testing, I want to see what populates in Insights without the recommended alerts
When you visit the logs in Insights:
There are different ways to look at activity, and this is before we set any alerts
So next im going to run some basic enumeration with my attack vm to simulate attacker recon and some intial access vectors to see what gets picked up In the logs
There is also a classic Log Analytics function and a new version, so im going to check out both
To test, we have to know the public IP so that my attack VM can reach it
On my attack vm, I begin by pinging the public IP of my Azure VM and we get some replies so my Attack VM can reach the target Azure VM IP
Next we run Nmap with some aggressive scan operators
This is right, I have SSH open so that I can connect and manage the VM, I can open a web server or two to extend the threat surface to test
Just going to see if there are any collections for this activity yet, even though its just one execution
NMAP has its own user agent so it can be loud in that way
Unexpected nmap activity isnt damning but it isnt something that is typically system admin, maintenance type activity
Nothing picked up, but there can be a delay in log collection so lets try some more activity
To continue and try some credential and post exploitation activity I am configuring an Identity Role for a User Contributor in the Resource Group
One of the first things I like to do, once I believe I have credentials that are legitimate (theres an app for that!) is to check MFA enablement
Lets use GraphRunner to take a look with some recon through the MS Graph API as it grants single factor access
Ok and now we have graph tokens
We have tokens so we should leverage those for some initial recon
Next we will check for Conditional Access Polices as an attacker would
There are none because I haven't set them up yet
Next we will look at applications
From this the first thing that stands out is that Defender is active. I have it installed but Im not using those capabilities in this blog series, but I will be. The attacker likes to know that to adjust their TTPs.
We also see the VM that we are targeting
I didn’t get much (any) for monitoring logs for the access, NMAP scans or abuse of Graph Tokens
Heres an example, no security events of any kind
So next we spin up a windows based Azure VM in the same resource group, I want to see if there is better logging on Windows.
Again, starting with a NMAP scan of the VM’s public IP
Then I ran all the GraphRunner commands I ran on the Ubuntu based Azure VM
Immediately checking the logs, I don’t see any security events generated
Im going to wait at least an hour to see if any generate
Waited two hours and still nothing
NOTE: I did get a spot check from another researcher, and he confirmed my findings
Conclusion:
This is very anti climatic, but the takeaway here is that this is not worth it. This isn’t even technically an out of the box solution. But VMInsights
Seems to be better as a performance monitoring solution than anything with collecting logs, setting alerts and threat hunting. It collected nothing and I was pretty loud.
I wanted to do more testing with VMInsights and Monitoring but it is clear to me that it isn’t a viable resource for security.
Next, I will be testing the same emulation steps with Microsoft Defender for Cloud, which was renamed from Azure Security Center.
