Azure VM Managed Run Command Created or Updated with Unusual Principal
Identifies the creation or update of a managed Azure Run Command resource ("MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMANDS/WRITE" or the virtual machine scale set equivalent) by an identity that has not performed this operation recently. Unlike the action-based Run Command ("runCommand/action"), the managed Run Command is a persistent resource on the VM whose creation or update executes the supplied script as System (Windows) or root (Linux). Because creating a managed run command both executes code and leaves a durable object, adversaries can use it as an alternative to the action invocation to evade detections that only watch "runCommand/action". Alerting on the first time a given principal performs this operation surfaces unusual or unauthorized use while suppressing routine automation that repeatedly manages the same run commands.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/06/16"
3integration = ["azure"]
4maturity = "production"
5updated_date = "2026/06/16"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the creation or update of a managed Azure Run Command resource
11("MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMANDS/WRITE" or the virtual machine scale set equivalent) by an identity that
12has not performed this operation recently. Unlike the action-based Run Command ("runCommand/action"), the managed Run
13Command is a persistent resource on the VM whose creation or update executes the supplied script as System (Windows) or
14root (Linux). Because creating a managed run command both executes code and leaves a durable object, adversaries can use
15it as an alternative to the action invocation to evade detections that only watch "runCommand/action". Alerting on the
16first time a given principal performs this operation surfaces unusual or unauthorized use while suppressing routine
17automation that repeatedly manages the same run commands.
18"""
19false_positives = [
20 """
21 Infrastructure-as-code, configuration management, and patching automation may create or update managed run commands.
22 The first occurrence per principal will alert; baseline expected service principals, managed identities, and admin
23 users and exclude them if the activity is verified as authorized.
24 """,
25]
26from = "now-9m"
27index = ["logs-azure.activitylogs-*"]
28language = "kuery"
29license = "Elastic License v2"
30name = "Azure VM Managed Run Command Created or Updated with Unusual Principal"
31note = """## Triage and analysis
32
33### Investigating Azure VM Managed Run Command Created or Updated with Unusual Principal
34
35The managed Run Command (`runCommands/write`) creates or updates a persistent run command resource on a VM or VM scale
36set. Creating the resource executes the supplied script as SYSTEM (Windows) or root (Linux). This rule uses a new terms
37approach keyed on the acting principal, so it fires the first time a given identity performs this operation within the
38history window.
39
40### Triage checklist
41
42- Identify the acting principal via `azure.activitylogs.identity.authorization.evidence.principal_id` and
43 `azure.activitylogs.identity.authorization.evidence.principal_type` (User vs ServicePrincipal). Service principal or
44 managed identity activity is more suspicious than a known admin user.
45- Is the source IP/ASN consistent with corporate infrastructure or a known VPN?
46- Inspect `azure.resource.id` for the target VM/VMSS and the run command resource name. Attacker-created names are often
47 random or descriptive of intent.
48- Did the same principal recently perform reconnaissance, role assignments, or other VM operations
49 (`runCommand/action`, `extensions/write`, serial console connect)?
50- Correlate with endpoint telemetry on the target host: process activity parented by the Azure guest agent
51 (`WaAppAgent.exe` / `walinuxagent`) within ~120 seconds of the write timestamp.
52
53### Possible investigation steps
54
55- Review the principal's Entra ID sign-in logs and RBAC role assignments on the subscription, resource group, and VM.
56- Retrieve the run command script content from the VM (the activity log does not contain the script body) to assess
57 intent.
58- Pivot on the VM for credential access, new local accounts, or outbound C2 connections following execution.
59
60### Response and remediation
61
62- If unauthorized, delete the managed run command resource, isolate the VM, rotate credentials reachable from it, and
63 review RBAC on the affected scope.
64- Collect endpoint and activity log artifacts per incident procedures.
65"""
66references = [
67 "https://www.netspi.com/blog/technical-blog/adversary-simulation/7-ways-to-execute-command-on-azure-virtual-machine-virtual-machine-scale-sets/",
68 "https://learn.microsoft.com/en-us/azure/virtual-machines/windows/run-command-managed",
69 "https://hackingthe.cloud/azure/run-command-abuse/",
70 "https://blog.pwnedlabs.io/diving-deep-into-azure-vm-attack-vectors",
71 "https://www.sysdig.com/blog/the-expendable-extension-name-azure-vmaccess-naming-chaos-password-resets-and-a-detection-gap",
72]
73risk_score = 47
74rule_id = "b4a80990-e028-4792-83eb-09e59959059f"
75severity = "medium"
76tags = [
77 "Domain: Cloud",
78 "Domain: Endpoint",
79 "Data Source: Azure",
80 "Data Source: Azure Activity Logs",
81 "Use Case: Threat Detection",
82 "Tactic: Execution",
83 "Resources: Investigation Guide",
84]
85timestamp_override = "event.ingested"
86type = "new_terms"
87query = '''
88data_stream.dataset:azure.activitylogs and
89 event.action:(
90 "MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMANDS/WRITE" or
91 "MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/VIRTUALMACHINES/RUNCOMMANDS/WRITE"
92 ) and event.outcome:(success or Success) and
93 azure.activitylogs.identity.authorization.evidence.principal_id: *
94'''
95
96[rule.investigation_fields]
97field_names = [
98 "@timestamp",
99 "event.outcome",
100 "azure.activitylogs.operation_name",
101 "azure.activitylogs.identity.authorization.evidence.principal_id",
102 "azure.activitylogs.identity.authorization.evidence.principal_type",
103 "azure.activitylogs.identity.claims.appid",
104 "azure.activitylogs.identity.claims_initiated_by_user.name",
105 "azure.resource.id",
106 "azure.resource.name",
107 "source.ip",
108 "source.geo.country_name",
109 "source.as.organization.name",
110 "azure.subscription_id",
111 "azure.activitylogs.tenant_id",
112]
113
114[rule.new_terms]
115field = "new_terms_fields"
116value = ["azure.activitylogs.identity.authorization.evidence.principal_id"]
117
118[[rule.new_terms.history_window_start]]
119field = "history_window_start"
120value = "now-7d"
121
122[[rule.threat]]
123framework = "MITRE ATT&CK"
124
125[[rule.threat.technique]]
126id = "T1651"
127name = "Cloud Administration Command"
128reference = "https://attack.mitre.org/techniques/T1651/"
129
130[rule.threat.tactic]
131id = "TA0002"
132name = "Execution"
133reference = "https://attack.mitre.org/tactics/TA0002/"
Triage and analysis
Investigating Azure VM Managed Run Command Created or Updated with Unusual Principal
The managed Run Command (runCommands/write) creates or updates a persistent run command resource on a VM or VM scale
set. Creating the resource executes the supplied script as SYSTEM (Windows) or root (Linux). This rule uses a new terms
approach keyed on the acting principal, so it fires the first time a given identity performs this operation within the
history window.
Triage checklist
- Identify the acting principal via
azure.activitylogs.identity.authorization.evidence.principal_idandazure.activitylogs.identity.authorization.evidence.principal_type(User vs ServicePrincipal). Service principal or managed identity activity is more suspicious than a known admin user. - Is the source IP/ASN consistent with corporate infrastructure or a known VPN?
- Inspect
azure.resource.idfor the target VM/VMSS and the run command resource name. Attacker-created names are often random or descriptive of intent. - Did the same principal recently perform reconnaissance, role assignments, or other VM operations
(
runCommand/action,extensions/write, serial console connect)? - Correlate with endpoint telemetry on the target host: process activity parented by the Azure guest agent
(
WaAppAgent.exe/walinuxagent) within ~120 seconds of the write timestamp.
Possible investigation steps
- Review the principal's Entra ID sign-in logs and RBAC role assignments on the subscription, resource group, and VM.
- Retrieve the run command script content from the VM (the activity log does not contain the script body) to assess intent.
- Pivot on the VM for credential access, new local accounts, or outbound C2 connections following execution.
Response and remediation
- If unauthorized, delete the managed run command resource, isolate the VM, rotate credentials reachable from it, and review RBAC on the affected scope.
- Collect endpoint and activity log artifacts per incident procedures.
References
-
Examples of different command execution paths for Azure Virtual Machines and Virtual Machine Scale Sets.
Read More -
This topic describes how to run scripts within an Azure Windows virtual machine by using the updated Run Command feature.
Read More -
-
Hands-on walkthrough of Azure VM attack vectors from Pwned Labs — managed identities, run-command abuse, extension exploitation, and detection tradecraft.
Read More -
The Sysdig Threat Research Team uncovered a detection gap in Azure VM password resets that allows attackers to evade name-based detections by assigning arbitrary VM extension names. Learn how the flaw works, why Microsoft’s documented detection guidance failed during testing, and what defenders should monitor instead.
Read More
Related rules
- Azure VM Extension CRUD Operation with Unusual Source ASN
- Azure Compute VM Command Executed
- Azure Run Command Correlated with Process Execution
- Azure VM Extension Deployment by User
- Azure VM Boot Diagnostics Retrieved