Azure Command Execution on Virtual Machine
Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage virtual machines, but not access them, nor access the virtual network or storage account they’re connected to. However, commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles may be able to execute commands on a VM as well.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/17"
3integration = ["azure"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage
11virtual machines, but not access them, nor access the virtual network or storage account they’re connected to. However,
12commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles
13may be able to execute commands on a VM as well.
14"""
15false_positives = [
16 """
17 Command execution on a virtual machine may be done by a system or network administrator. Verify whether the
18 username, hostname, and/or resource name should be making changes in your environment. Command execution from
19 unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted
20 from the rule.
21 """,
22]
23from = "now-25m"
24index = ["filebeat-*", "logs-azure*"]
25language = "kuery"
26license = "Elastic License v2"
27name = "Azure Command Execution on Virtual Machine"
28note = """## Setup
29
30The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
31references = [
32 "https://adsecurity.org/?p=4277",
33 "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
34 "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor",
35]
36risk_score = 47
37rule_id = "60884af6-f553-4a6c-af13-300047455491"
38severity = "medium"
39tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Execution"]
40timestamp_override = "event.ingested"
41type = "query"
42
43query = '''
44event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" and event.outcome:(Success or success)
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1059"
52name = "Command and Scripting Interpreter"
53reference = "https://attack.mitre.org/techniques/T1059/"
54
55
56[rule.threat.tactic]
57id = "TA0002"
58name = "Execution"
59reference = "https://attack.mitre.org/tactics/TA0002/"
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
For most of 2019, I was digging into Office 365 and Azure AD and looking at features as part of the development of the new Trimarc Microsoft Cloud Security Assessment which focuses on improving cus...
Read More -
-
This article describes the Azure built-in roles for Azure role-based access control (Azure RBAC). It lists Actions, NotActions, DataActions, and NotDataActions.
Read More
Related rules
- Azure Event Hub Authorization Rule Created or Updated
- Azure Event Hub Deletion
- Azure Kubernetes Events Deleted
- Azure Resource Group Deletion
- AWS CloudTrail Log Created