1

What are some ways of diagnosing whether I'm on an Azure VM as opposed to a local Windows 10 installation? I get windows event logs that reference AAD and others that seem to indicate that I'm signing in via RDP Windows Remote Desktop. I don't have to enter any credentials aside from my windows password and there's no browser portal or anything which makes me use RDP explicitly.

Here is one example of an event log that I would like to understand its significance:

EventLog:
Application
RecordNumber:
3,679
TimeGenerated:
6/30/2020 11:24:38 PM
TimeWritten:
6/30/2020 11:24:38 PM
EventID:
1,034
EventType:
4
EventTypeName:
Information event
EventCategory:
0
EventCategoryName:
None
SourceName:
Software Protection Platform Service
Strings:
AAD-WindowsCore-AddAccountRestrictions
100
ComputerName:
DESKTOP-857CLI7
SID:
Message:
Duplicate definition of policy found. Policy name=AAD-WindowsCore-AddAccountRestrictions Priority=100
DavidPostill
  • 153,128
  • 77
  • 353
  • 394
Henry A
  • 49
  • 5
  • I'm having trouble imagining how you are confused on this point. it is definitely possible to use AAD to manage hardware devices, but as for a VM, it should be entirely apparent if you are RDPing into another host (eg an azure vm). I suppiose it could be a thin-client for VDI, but that sounds a bit much. What is the make/model of the hardware you are using? – Frank Thomas Jul 01 '20 at 03:58
  • I put the pc together myself. ASUS motherboard B360M-A, Intel Core i5-8400, AMD Radeon RX 580, 40GB ram DDR4 Corsair, Windows 10 Pro Build 19041.vb_release.191206-1406. I'm not a Windows Insider and I don't know why I have this specific build of Windows. – Henry A Jul 01 '20 at 04:05
  • if that's what you have installed, I don;t see how this could possible be a VM. are you in a corporate environment? are you a member of a domain? check Control Panel -> System. – Frank Thomas Jul 01 '20 at 04:10
  • No, I am not in a corporate environment and I am not, to my knowledge, a member of a domain. One day, about a month ago, I noticed a powershell window open with code that I didn't enter and I think it's related to my question. The code is long but here is the first part of it. I don't know what to make of it. ```Enable-CredSSPClientRole { >> .SYNOPSIS >> Enables CredSSP on this computer as client role to the other computer. ``` – Henry A Jul 01 '20 at 04:20
  • This powershell window popping, with this code, it can be an attack, your pc may be cracked/hacked. – Krackout Jul 01 '20 at 09:29
  • I suspect that and the question I have is how this persists beyond a full wipe and new installation of the OS because I have done that. How can I diagnose whether the machine is an Azure vm using the tools I have available? Are you familiar with azure application proxy? I can provide the rest of the code. I will try to upload it and link it. – Henry A Jul 01 '20 at 16:11
  • Here is the link to the rest of the code: https://pastebin.com/N5JPTr4A – Henry A Jul 01 '20 at 16:19
  • I have to agree, this is not something you should see on a normal unmanaged consumer system. Nuke it, rebuild, and change your passwords (long and strong). – Frank Thomas Jul 02 '20 at 03:16
  • I have nuked the os multiple times and completely did a reinstall but the problem persists. At first I thought it was something to do with the data discs so I unplugged them and examined them for system files but now I'm thinking it's my connection to the internet. VPN? Azure Application Proxy and virtual desktop? I don't know and this is simply way beyond my understanding so I can't fix it and nobody cares such as Microsoft or my internet provider. I want confirmation, at least, that something is happening and that's my reason for posting. How can I get to understand what I'm dealing with? – Henry A Jul 04 '20 at 09:04

0 Answers0