Security News > 2021 > March > Microsoft shares detection, mitigation advice for Azure LoLBins
Attackers can abuse a wide range of Window legitimate tools, including but not limited to Microsoft Defender, Windows Update, and even the Windows Finger command.
While being legitimately used by thousands of admins each day for managing their organizations' Azure fleets, their capabilities can also be used for malicious purposes, including circumventing network defense lines.
Custom Script Extensions were used by threat actors to deploy cryptominers on the networks of multiple Microsoft customers "From different countries within a noticeably short timeframe."
VMAccess and Antimalware extensions can be abused to tamper with service users and disable real-time protection capabilities.
To detect such malicious behavior in your organization, Microsoft recommends using Azure Defender for Resource Manager, which keeps track of Azure management operations and alerts you if it spots suspicious activity.
"Every request to the Azure Resource Manager Endpoint on management.azure.com is logged and analyzed to reveal malicious intentions and threats," Pliskin said.