Azure Command Execution on Virtual Machine
Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage virtual machines, but not access them, nor access the virtual network or storage account they’re connected to. However, commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles may be able to execute commands on a VM as well.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/17"
3integration = ["azure"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage
11virtual machines, but not access them, nor access the virtual network or storage account they’re connected to. However,
12commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles
13may be able to execute commands on a VM as well.
14"""
15false_positives = [
16 """
17 Command execution on a virtual machine may be done by a system or network administrator. Verify whether the
18 username, hostname, and/or resource name should be making changes in your environment. Command execution from
19 unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted
20 from the rule.
21 """,
22]
23from = "now-25m"
24index = ["filebeat-*", "logs-azure*"]
25language = "kuery"
26license = "Elastic License v2"
27name = "Azure Command Execution on Virtual Machine"
28note = """## Triage and analysis
29
30> **Disclaimer**:
31> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
32
33### Investigating Azure Command Execution on Virtual Machine
34
35Azure Virtual Machines (VMs) allow users to run applications and services in the cloud. While roles like Virtual Machine Contributor can manage VMs, they typically can't access them directly. However, commands can be executed remotely via PowerShell, running as System. Adversaries may exploit this to execute unauthorized commands. The detection rule monitors Azure activity logs for command execution events, flagging successful operations to identify potential misuse.
36
37### Possible investigation steps
38
39- Review the Azure activity logs to identify the specific user or service principal that initiated the command execution event, focusing on the operation_name "MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION".
40- Check the event.outcome field to confirm the success of the command execution and gather details about the command executed.
41- Investigate the role and permissions of the user or service principal involved to determine if they have legitimate reasons to execute commands on the VM.
42- Analyze the context of the command execution, including the time and frequency of the events, to identify any unusual patterns or anomalies.
43- Correlate the command execution event with other logs or alerts from the same time period to identify any related suspicious activities or potential lateral movement.
44- If unauthorized access is suspected, review the VM's security settings and access controls to identify and mitigate any vulnerabilities or misconfigurations.
45
46### False positive analysis
47
48- Routine maintenance tasks executed by IT administrators can trigger the rule. To manage this, create exceptions for known maintenance scripts or scheduled tasks that are regularly executed.
49- Automated deployment processes that use PowerShell scripts to configure or update VMs may be flagged. Identify these processes and exclude them from the rule to prevent unnecessary alerts.
50- Security tools or monitoring solutions that perform regular checks on VMs might execute commands that are benign. Whitelist these tools by identifying their specific command patterns and excluding them from detection.
51- Development and testing environments often involve frequent command executions for testing purposes. Consider excluding these environments from the rule or setting up a separate monitoring policy with adjusted thresholds.
52- Ensure that any exclusion or exception is documented and reviewed periodically to maintain security posture and adapt to any changes in the environment or processes.
53
54### Response and remediation
55
56- Immediately isolate the affected virtual machine from the network to prevent further unauthorized command execution and potential lateral movement.
57- Review the Azure activity logs to identify the source of the command execution and determine if it was authorized or part of a larger attack pattern.
58- Revoke any unnecessary permissions from users or roles that have the ability to execute commands on virtual machines, focusing on those with Virtual Machine Contributor roles.
59- Conduct a thorough investigation of the executed commands to assess any changes or impacts on the system, and restore the VM to a known good state if necessary.
60- Implement additional monitoring and alerting for similar command execution activities, ensuring that any future unauthorized attempts are detected promptly.
61- Escalate the incident to the security operations team for further analysis and to determine if additional systems or data may have been compromised.
62- Review and update access control policies and role assignments to ensure that only necessary permissions are granted, reducing the risk of similar incidents in the future.
63
64## Setup
65
66The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
67references = [
68 "https://adsecurity.org/?p=4277",
69 "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
70 "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor",
71]
72risk_score = 47
73rule_id = "60884af6-f553-4a6c-af13-300047455491"
74severity = "medium"
75tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Execution", "Resources: Investigation Guide"]
76timestamp_override = "event.ingested"
77type = "query"
78
79query = '''
80event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" and event.outcome:(Success or success)
81'''
82
83
84[[rule.threat]]
85framework = "MITRE ATT&CK"
86[[rule.threat.technique]]
87id = "T1059"
88name = "Command and Scripting Interpreter"
89reference = "https://attack.mitre.org/techniques/T1059/"
90
91
92[rule.threat.tactic]
93id = "TA0002"
94name = "Execution"
95reference = "https://attack.mitre.org/tactics/TA0002/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Azure Command Execution on Virtual Machine
Azure Virtual Machines (VMs) allow users to run applications and services in the cloud. While roles like Virtual Machine Contributor can manage VMs, they typically can't access them directly. However, commands can be executed remotely via PowerShell, running as System. Adversaries may exploit this to execute unauthorized commands. The detection rule monitors Azure activity logs for command execution events, flagging successful operations to identify potential misuse.
Possible investigation steps
- Review the Azure activity logs to identify the specific user or service principal that initiated the command execution event, focusing on the operation_name "MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION".
- Check the event.outcome field to confirm the success of the command execution and gather details about the command executed.
- Investigate the role and permissions of the user or service principal involved to determine if they have legitimate reasons to execute commands on the VM.
- Analyze the context of the command execution, including the time and frequency of the events, to identify any unusual patterns or anomalies.
- Correlate the command execution event with other logs or alerts from the same time period to identify any related suspicious activities or potential lateral movement.
- If unauthorized access is suspected, review the VM's security settings and access controls to identify and mitigate any vulnerabilities or misconfigurations.
False positive analysis
- Routine maintenance tasks executed by IT administrators can trigger the rule. To manage this, create exceptions for known maintenance scripts or scheduled tasks that are regularly executed.
- Automated deployment processes that use PowerShell scripts to configure or update VMs may be flagged. Identify these processes and exclude them from the rule to prevent unnecessary alerts.
- Security tools or monitoring solutions that perform regular checks on VMs might execute commands that are benign. Whitelist these tools by identifying their specific command patterns and excluding them from detection.
- Development and testing environments often involve frequent command executions for testing purposes. Consider excluding these environments from the rule or setting up a separate monitoring policy with adjusted thresholds.
- Ensure that any exclusion or exception is documented and reviewed periodically to maintain security posture and adapt to any changes in the environment or processes.
Response and remediation
- Immediately isolate the affected virtual machine from the network to prevent further unauthorized command execution and potential lateral movement.
- Review the Azure activity logs to identify the source of the command execution and determine if it was authorized or part of a larger attack pattern.
- Revoke any unnecessary permissions from users or roles that have the ability to execute commands on virtual machines, focusing on those with Virtual Machine Contributor roles.
- Conduct a thorough investigation of the executed commands to assess any changes or impacts on the system, and restore the VM to a known good state if necessary.
- Implement additional monitoring and alerting for similar command execution activities, ensuring that any future unauthorized attempts are detected promptly.
- Escalate the incident to the security operations team for further analysis and to determine if additional systems or data may have been compromised.
- Review and update access control policies and role assignments to ensure that only necessary permissions are granted, reducing the risk of similar incidents in the future.
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- AWS SSM `SendCommand` Execution by Rare User
- Azure Event Hub Authorization Rule Created or Updated
- Azure Event Hub Deletion
- Azure Kubernetes Events Deleted
- Azure Resource Group Deletion