Azure Run Command Script Child Process

  1[metadata]
  2creation_date = "2026/05/20"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2026/05/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies process start events whose parent matches Azure Virtual Machine Run Command execution patterns on Windows
 11or Linux. On Windows, Run Command often launches PowerShell with `-ExecutionPolicy Unrestricted` and a `script?.ps1`
 12file; on Linux, the Azure Linux Agent (waagent) runs downloaded script.sh under "/var/lib/waagent/run-command/".
 13Child process telemetry exposes the on-guest payload that cloud activity logs do not fully describe.
 14"""
 15false_positives = [
 16    """
 17    Legitimate configuration management, extension deployment, or automation that uses Azure Run Command with the same
 18    PowerShell or shell script paths may match. Baseline approved VM names, script naming, and deployment windows
 19    before tuning.
 20    """,
 21]
 22from = "now-9m"
 23index = [
 24    "logs-endpoint.events.process*",
 25    "logs-windows.sysmon_operational-*"
 26]
 27language = "eql"
 28license = "Elastic License v2"
 29name = "Azure Run Command Script Child Process"
 30note = """## Triage and analysis
 31
 32### Investigating Azure Run Command Script Child Process
 33
 34Azure VM Run Command executes scripts on guests without interactive RDP or SSH. On Windows, a parent PowerShell
 35process with `-ExecutionPolicy Unrestricted -File script?.ps1` often precedes child utilities; on Linux, `waagent`
 36invokes `/var/lib/waagent/run-command/download/*/script.sh` via `bash`, `sh`, or `dash`.
 37
 38Correlate with `logs-azure.activitylogs-*` for `MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION` when available.
 39
 40### Possible investigation steps
 41
 42- Review `process.command_line`, `process.name`, and `process.parent.command_line` or `process.parent.args`.
 43- Confirm whether the host is an Azure VM and whether Run Command was expected for that asset.
 44- Pivot on `host.name` or `host.id` for other suspicious process or network activity in the same window.
 45
 46### False positive analysis
 47
 48- Extension handlers, guest configuration, and patch orchestration may use the same parent patterns.
 49- Exclude known automation hosts or script paths after validating with platform teams.
 50
 51### Response and remediation
 52
 53- If unauthorized, review Azure RBAC on the VM and subscription, revoke compromised credentials, and isolate the guest.
 54- Collect endpoint artifacts and Azure activity logs for incident reporting.
 55"""
 56references = [
 57    "https://docs.microsoft.com/en-us/azure/virtual-machines/run-command",
 58    "https://hackingthe.cloud/azure/run-command-abuse/"
 59    ]
 60risk_score = 47
 61rule_id = "cb9554e8-9f31-41a8-b4f5-d82144e6dc33"
 62severity = "medium"
 63tags = [
 64    "Domain: Cloud",
 65    "Domain: Endpoint",
 66    "OS: Linux",
 67    "OS: Windows",
 68    "Use Case: Threat Detection",
 69    "Tactic: Execution",
 70    "Data Source: Elastic Defend",
 71    "Data Source: Sysmon",
 72    "Data Source: Azure",
 73    "Resources: Investigation Guide",
 74]
 75timestamp_override = "event.ingested"
 76type = "eql"
 77
 78query = '''
 79process where event.type in ("start", "process_started") and
 80  (
 81    (process.parent.name == "powershell.exe" and
 82      process.parent.command_line like "powershell  -ExecutionPolicy Unrestricted -File script?.ps1") or
 83    (process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "mksh", "busybox") and
 84      process.parent.args like "/var/lib/waagent/run-command/download/*/script.sh")
 85  )
 86'''
 87
 88
 89[[rule.threat]]
 90framework = "MITRE ATT&CK"
 91
 92[[rule.threat.technique]]
 93id = "T1059"
 94name = "Command and Scripting Interpreter"
 95reference = "https://attack.mitre.org/techniques/T1059/"
 96
 97[[rule.threat.technique.subtechnique]]
 98id = "T1059.001"
 99name = "PowerShell"
100reference = "https://attack.mitre.org/techniques/T1059/001/"
101
102[[rule.threat.technique.subtechnique]]
103id = "T1059.004"
104name = "Unix Shell"
105reference = "https://attack.mitre.org/techniques/T1059/004/"
106
107[[rule.threat.technique]]
108id = "T1651"
109name = "Cloud Administration Command"
110reference = "https://attack.mitre.org/techniques/T1651/"
111
112[rule.threat.tactic]
113id = "TA0002"
114name = "Execution"
115reference = "https://attack.mitre.org/tactics/TA0002/"