New Breakthrough – Researchers Develop Innovative Method to Detect and Sustain Azure Arc in Enterprise Networks

A recent red team operation identified a significant security risk related to Microsoft Azure Arc, a service that bridges Azure management to on-premises and multi-cloud resources.

The team stumbled across a PowerShell onboarding script with a hardcoded Service Principal secret.

This credential, intended for automating Arc deployments, enabled attackers to move laterally, achieve code execution as SYSTEM on domain controllers, and pivot into Azure cloud resources all by exploiting common misconfigurations in real-world hybrid environments.

Identifying and Exploiting Arc: Attack Paths and Code Execution Vectors

Azure Arc was introduced in 2019 to enable seamless management of non-Azure infrastructure, including Windows and Linux servers, Kubernetes clusters, and VMware vCenter hosts, through Azure’s Resource Manager and Role-Based Access Control (RBAC).

The core risk: once the Arc agent is installed, the host becomes accessible for remote management, monitoring, update control, and crucially, command execution from the cloud.

Red team investigations revealed two main attack surfaces:

Azure Artifacts:
Attackers can enumerate Arc Service Principals and managed identities through Entra (Azure AD) and standard tools (ROADrecon, AzureHound).

Suppose a Service Principal is assigned the decisive Azure Connected Machine Resource Administrator role. In that case, it can register new devices, run arbitrary commands, or deploy extensions through Arc, potentially on every server that is onboarded.

On-Premises Signs:
On hosts, Arc leaves behind clear artifacts: the C:\Program Files\AzureConnectedMachineAgent Folder, Arc-specific running services, and sometimes auto-generated Group Policy Objects (GPOs) pushing installation across the domain.

Default onboarding scripts or deployment shares (used for GPO, SCCM, or Ansible setups) often store credentials in plaintext or easily decryptable blobs, which are accessible to all domain computers if the DPAPI-NG (Next Generation Data Protection API) is misused.

Remotely Executing Code and Maintaining Stealthy Persistence

With the proper Azure role, adversaries can use Arc’s built-in “Run Command” functionality or the Custom Script Extension (CSE) to execute payloads as SYSTEM, just like on an Azure VM, but now on any Arc-connected host, regardless of location.

Attackers can deploy malware, establish persistent access, or download tools via file URIs—all from the trusted Azure control plane.

Surprisingly, these actions often evade traditional network monitoring, since they operate through Azure APIs and native, digitally signed agent processes.

Combined with misconfigured RBAC or weak deployment hygiene, Azure Arc can become a near-undetectable out-of-band persistence mechanism spanning cloud and on-premises domains.

Hybrid cloud defenders must take Arc exposure seriously: rigorously audit RBAC assignments, secure deployment scripts, monitor for Arc agent artifacts, and validate extension and activity logs before attackers exploit Azure Arc’s legitimate power for illegitimate gain.