Security researchers have introduced a comprehensive methodology for detecting Microsoft Azure Arc deployments and leveraging its features to maintain persistence in enterprise networks.
Azure Arc, designed to extend Azure-native management to on-premises and multi-cloud resources, has become an attractive target for adversaries due to its deep integration with both cloud and local infrastructure.
The new technique focuses on both cloud-based and on-premises indicators, providing a robust framework for reconnaissance and exploitation.
Identifying Azure Arc in Hybrid Environments
Detection of Azure Arc within an environment begins with identifying specific artifacts in both Azure and Microsoft Entra.
When an organization configures the necessary resource providers for Arc, such as Microsoft.HybridCompute, new service principals like “Arc Token Service” and “Arc Public Cloud – Servers” are created in the tenant.
While these alone do not confirm Arc deployment, their presence signals that the environment is Arc-ready.
Further, service principals tagged with “AzureArcSPN,” which are auto-generated during Arc onboarding, can be discovered by unprivileged users through Azure CLI or third-party tools like ROADrecon and AzureHound. These tags provide strong evidence of Arc-related administrative activity.
Once a system is onboarded to Arc, a managed identity is created in Entra, which can be enumerated by searching for resource IDs containing “Microsoft.HybridCompute.”
This allows attackers and defenders alike to compile a list of Arc-managed endpoints across resource groups and subscriptions.
On-premises, the presence of the “C:\Program Files\AzureConnectedMachineAgent” directory, Arc-specific processes, and services such as “gc_arc_service.exe” or “arcproxy.exe” are clear indicators of Arc client installation.
Additionally, deployment via Group Policy Objects (GPO) often results in auto-generated GPOs with distinctive naming conventions, which can be identified during Active Directory reconnaissance.
Exploiting Misconfigurations for Code Execution
According to the Report, The research highlights several misconfiguration scenarios that can lead to privilege escalation and persistent access.
A critical risk arises when deployment service principals are inadvertently granted the “Azure Connected Machine Resource Administrator” role.
This role enables not only the onboarding of new devices but also remote command execution and extension management on all Arc-connected endpoints.
The default deployment scripts generated by Azure Arc embed service principal secrets in plaintext, making them susceptible to discovery during routine file share reconnaissance or through access to SCCM or GPO deployment mechanisms.
Attackers can exploit these misconfigurations by recovering service principal credentials from deployment scripts or encrypted blobs, especially when network shares are broadly accessible or when DPAPI-NG encryption is configured to allow decryption by any domain computer.
Once in possession of valid credentials, adversaries can use Azure REST APIs to execute commands or deploy extensions, such as the Custom Script Extension (CSE), on Arc-managed systems.
This provides SYSTEM-level code execution and the ability to download and run arbitrary payloads, often bypassing traditional endpoint defenses.
Researchers also demonstrated that Azure Arc can serve as an out-of-band persistence mechanism.
By enrolling compromised systems into an attacker-controlled Arc tenant, adversaries can maintain remote management capabilities that are difficult to detect and remediate.
Even if a host is already Arc-managed, attackers may focus on hijacking the existing connection rather than overwriting it, as reinstallation requires elevated privileges.
The findings underscore the importance of strict role assignment and access control in Azure Arc deployments.
Organizations are advised to avoid over-provisioning service principals, restrict access to deployment scripts and network shares, and leverage extension allowlists or blocklists both locally and through Azure policies.
Regular reviews of role assignments and deployment artifacts are essential to mitigate the risk of unauthorized code execution and persistence.
This research provides both offensive and defensive insights into Azure Arc, equipping security teams with the knowledge to detect, investigate, and secure hybrid enterprise environments against emerging threats.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
