AZ_VM_CONTRIBUTOR

Summary

FSProtect ACL Alias

AZ_VM_CONTRIBUTOR

Azure Alias

Virtual Machine Contributor (Azure RBAC)

Affected Object Types

Virtual Machines, VM Scale Sets

Exploitation Certainty

Certain

Azure RBAC Role

Virtual Machine Contributor (9980e02c-c2be-4d73-94e8-173b1dc7cf3c) — manage VMs but not access to them or the virtual network/storage they are connected to

Azure RBAC Role (Classic)

Classic Virtual Machine Contributor (d73bb868-a0df-4d4d-bd69-98a00b01fccb) — manage classic VMs but not access to them or the virtual network/storage they are connected to

Description

AZ_VM_CONTRIBUTOR represents the Azure Resource Manager Virtual Machine Contributor role assignment. The Classic Virtual Machine Contributor role (d73bb868-a0df-4d4d-bd69-98a00b01fccb) provides the same level of access for classic (ASM) VMs and carries the same abuse potential.

This role grants almost all abusable privileges against Virtual Machines, including:

Run commands on the VM as SYSTEM via the RunCommand API.
Manage VM configurations — start, stop, restart, resize, delete.
Manage extensions — install custom script extensions to execute arbitrary code.
Manage disks — attach/detach data disks, snapshot OS disks.

The most critical abuse vector is the ability to run commands on the VM as SYSTEM, which enables:

Full compromise of the VM operating system.
Credential harvesting from memory (Mimikatz, LSASS dumps).
Lateral movement to on-premises infrastructure if the VM is domain-joined.
Access to managed identity tokens for further Azure pivoting.

Identification

PowerShell (Az Module)

Connect-AzAccount

# List all Virtual Machine Contributor role assignments
Get-AzRoleAssignment -RoleDefinitionName "Virtual Machine Contributor" |
    Select-Object DisplayName, SignInName, ObjectType, Scope |
    Format-Table -AutoSize

# List Classic Virtual Machine Contributor role assignments
Get-AzRoleAssignment -RoleDefinitionName "Classic Virtual Machine Contributor" |
    Select-Object DisplayName, SignInName, ObjectType, Scope |
    Format-Table -AutoSize

# List VM Contributor at a specific scope
Get-AzRoleAssignment -RoleDefinitionName "Virtual Machine Contributor" `
    -Scope "/subscriptions/<SubscriptionId>/resourceGroups/<RGName>" |
    Select-Object DisplayName, SignInName, ObjectType, Scope |
    Format-Table -AutoSize

Azure GUI

Open Azure Portal → navigate to the target Virtual Machine.
Go to Access control (IAM) → Role assignments.
Filter by Role = Virtual Machine Contributor or Classic Virtual Machine Contributor.
Review all principals listed.

Exploitation

The VM Contributor role enables full abuse of Virtual Machines through RunCommand execution, managed identity token theft, and extension deployment. See the following edges for specific exploitation techniques:

Related Attack Paths:
AZ_EXECUTE_COMMAND — Run commands as SYSTEM on VMs via RunCommand API, steal managed identity tokens.

Mitigation

Minimize Virtual Machine Contributor assignments
- Go to Azure Portal → target VM → Access control (IAM) → Role assignments.
- Remove any principal that does not need to manage VMs.
- Use Virtual Machine User Login or Virtual Machine Administrator Login for access without management privileges.
Use PIM for just-in-time access
- Configure eligible assignments instead of permanent ones.
Restrict RunCommand API
- Use Azure Policy to deny Microsoft.Compute/virtualMachines/runCommand/action where not needed.
Enable endpoint protection
- Deploy Microsoft Defender for Endpoint or equivalent EDR on all VMs.

Detection

Monitor RunCommand executions and VM management operations.

Go to Azure Portal → Monitor → Activity log.
Filter by Operation name: Microsoft.Compute/virtualMachines/runCommand/action.
Alert on:
- RunCommand invocations from unusual identities.
- Custom script extension installations.
- VM actions outside change management windows.

References

PreviousAZ_SQL_ADMIN NextPARENT_TENANT

Last updated 1 hour ago

Was this helpful?