Azure Command Execution on Virtual Machine
Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage virtual machines, but not access them, nor access the virtual network or storage account they’re connected to. However, commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles may be able to execute commands on a VM as well.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/17"
3integration = ["azure"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage
13virtual machines, but not access them, nor access the virtual network or storage account they’re connected to. However,
14commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles
15may be able to execute commands on a VM as well.
16"""
17false_positives = [
18 """
19 Command execution on a virtual machine may be done by a system or network administrator. Verify whether the
20 username, hostname, and/or resource name should be making changes in your environment. Command execution from
21 unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted
22 from the rule.
23 """,
24]
25from = "now-25m"
26index = ["filebeat-*", "logs-azure*"]
27language = "kuery"
28license = "Elastic License v2"
29name = "Azure Command Execution on Virtual Machine"
30note = """## Setup
31
32The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
33references = [
34 "https://adsecurity.org/?p=4277",
35 "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
36 "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor",
37]
38risk_score = 47
39rule_id = "60884af6-f553-4a6c-af13-300047455491"
40severity = "medium"
41tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Execution"]
42timestamp_override = "event.ingested"
43type = "query"
44
45query = '''
46event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" and event.outcome:(Success or success)
47'''
48
49
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52[[rule.threat.technique]]
53id = "T1059"
54name = "Command and Scripting Interpreter"
55reference = "https://attack.mitre.org/techniques/T1059/"
56
57
58[rule.threat.tactic]
59id = "TA0002"
60name = "Execution"
61reference = "https://attack.mitre.org/tactics/TA0002/"
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Azure Event Hub Authorization Rule Created or Updated
- Azure Event Hub Deletion
- Azure Kubernetes Events Deleted
- Azure Resource Group Deletion
- Azure AD Global Administrator Role Assigned