Azure Compute VM Command Executed
Identifies synchronous command execution on a virtual machine (VM) or virtual machine scale set (VMSS) in Azure via the action-based Run Command ("runCommand/action"). A Virtual Machine Contributor role lets you manage virtual machines, but not access them, nor access the virtual network or storage account they’re connected to. However, commands can be run on the VM via the Run Command feature, which execute as System (Windows) or root (Linux). Other roles, such as certain Administrator roles, may be able to execute commands on a VM as well.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/17"
3integration = ["azure"]
4maturity = "production"
5updated_date = "2026/06/10"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies synchronous command execution on a virtual machine (VM) or virtual machine scale set (VMSS) in Azure via the
11action-based Run Command ("runCommand/action"). A Virtual Machine Contributor role lets you manage virtual machines, but
12not access them, nor access the virtual network or storage account they’re connected to. However, commands can be run on
13the VM via the Run Command feature, which execute as System (Windows) or root (Linux). Other roles, such as certain
14Administrator roles, may be able to execute commands on a VM as well.
15"""
16false_positives = [
17 """
18 Command execution on a virtual machine may be done by a system or network administrator. Verify whether the
19 username, hostname, and/or resource name should be making changes in your environment. Command execution from
20 unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted
21 from the rule.
22 """,
23]
24from = "now-9m"
25index = ["logs-azure.activitylogs-*", "filebeat-*"]
26language = "kuery"
27license = "Elastic License v2"
28name = "Azure Compute VM Command Executed"
29note = """## Triage and analysis
30
31### Investigating Azure Compute VM Command Executed
32
33Azure Virtual Machines (VMs) allow users to run applications and services in the cloud. While roles like Virtual Machine Contributor can manage VMs, they typically can't access them directly. However, commands can be executed remotely via PowerShell, running as System. Adversaries may exploit this to execute unauthorized commands. The detection rule monitors Azure activity logs for command execution events, flagging successful operations to identify potential misuse.
34
35### Possible investigation steps
36
37- Review the Azure activity logs to identify the specific user or service principal that initiated the command execution event, focusing on the operation_name values "MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" and "MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/VIRTUALMACHINES/RUNCOMMAND/ACTION".
38- Identify the VM in question via the `azure.resource.name` field. This can aid with pivoting into endpoint analysis of the commands executed.
39- Check the event.outcome field to confirm the success of the command execution and gather details about the command executed.
40- Investigate the role and permissions of the user or service principal involved to determine if they have legitimate reasons to execute commands on the VM.
41- Analyze the context of the command execution, including the time and frequency of the events, to identify any unusual patterns or anomalies.
42- Correlate the command execution event with other logs or alerts from the same time period to identify any related suspicious activities or potential lateral movement.
43- If unauthorized access is suspected, review the VM's security settings and access controls to identify and mitigate any vulnerabilities or misconfigurations.
44
45### False positive analysis
46
47- Routine maintenance tasks executed by IT administrators can trigger the rule. To manage this, create exceptions for known maintenance scripts or scheduled tasks that are regularly executed.
48- Automated deployment processes that use PowerShell scripts to configure or update VMs may be flagged. Identify these processes and exclude them from the rule to prevent unnecessary alerts.
49- Security tools or monitoring solutions that perform regular checks on VMs might execute commands that are benign. Whitelist these tools by identifying their specific command patterns and excluding them from detection.
50- Development and testing environments often involve frequent command executions for testing purposes. Consider excluding these environments from the rule or setting up a separate monitoring policy with adjusted thresholds.
51- Ensure that any exclusion or exception is documented and reviewed periodically to maintain security posture and adapt to any changes in the environment or processes.
52
53### Response and remediation
54
55- Immediately isolate the affected virtual machine from the network to prevent further unauthorized command execution and potential lateral movement.
56- Review the Azure activity logs to identify the source of the command execution and determine if it was authorized or part of a larger attack pattern.
57- Revoke any unnecessary permissions from users or roles that have the ability to execute commands on virtual machines, focusing on those with Virtual Machine Contributor roles.
58- Conduct a thorough investigation of the executed commands to assess any changes or impacts on the system, and restore the VM to a known good state if necessary.
59- Implement additional monitoring and alerting for similar command execution activities, ensuring that any future unauthorized attempts are detected promptly.
60- Escalate the incident to the security operations team for further analysis and to determine if additional systems or data may have been compromised.
61- Review and update access control policies and role assignments to ensure that only necessary permissions are granted, reducing the risk of similar incidents in the future.
62"""
63references = [
64 "https://adsecurity.org/?p=4277",
65 "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
66 "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor",
67 "https://www.netspi.com/blog/technical-blog/adversary-simulation/7-ways-to-execute-command-on-azure-virtual-machine-virtual-machine-scale-sets/",
68 "https://hackingthe.cloud/azure/run-command-abuse/",
69 "https://learn.microsoft.com/en-us/azure/virtual-machines/windows/run-command-managed",
70]
71risk_score = 47
72rule_id = "60884af6-f553-4a6c-af13-300047455491"
73severity = "medium"
74tags = [
75 "Domain: Cloud",
76 "Domain: Endpoint",
77 "Data Source: Azure",
78 "Data Source: Azure Activity Logs",
79 "Use Case: Threat Detection",
80 "Tactic: Execution",
81 "Resources: Investigation Guide",
82]
83timestamp_override = "event.ingested"
84type = "new_terms"
85
86query = '''
87data_stream.dataset:azure.activitylogs and
88 azure.activitylogs.operation_name:(
89 "MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" or
90 "MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/VIRTUALMACHINES/RUNCOMMAND/ACTION"
91 ) and event.outcome:(Success or success) and
92 azure.activitylogs.identity.authorization.evidence.principal_id: * and
93 source.as.number: * and
94 azure.resource.name: *
95'''
96
97[rule.new_terms]
98field = "new_terms_fields"
99value = [
100 "azure.activitylogs.identity.authorization.evidence.principal_id",
101 "azure.resource.name",
102 "source.as.number"
103]
104[[rule.new_terms.history_window_start]]
105field = "history_window_start"
106value = "now-7d"
107
108
109[[rule.threat]]
110framework = "MITRE ATT&CK"
111[[rule.threat.technique]]
112id = "T1651"
113name = "Cloud Administration Command"
114reference = "https://attack.mitre.org/techniques/T1651/"
115
116
117[rule.threat.tactic]
118id = "TA0002"
119name = "Execution"
120reference = "https://attack.mitre.org/tactics/TA0002/"
Triage and analysis
Investigating Azure Compute VM Command Executed
Azure Virtual Machines (VMs) allow users to run applications and services in the cloud. While roles like Virtual Machine Contributor can manage VMs, they typically can't access them directly. However, commands can be executed remotely via PowerShell, running as System. Adversaries may exploit this to execute unauthorized commands. The detection rule monitors Azure activity logs for command execution events, flagging successful operations to identify potential misuse.
Possible investigation steps
- Review the Azure activity logs to identify the specific user or service principal that initiated the command execution event, focusing on the operation_name values "MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" and "MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/VIRTUALMACHINES/RUNCOMMAND/ACTION".
- Identify the VM in question via the
azure.resource.namefield. This can aid with pivoting into endpoint analysis of the commands executed. - Check the event.outcome field to confirm the success of the command execution and gather details about the command executed.
- Investigate the role and permissions of the user or service principal involved to determine if they have legitimate reasons to execute commands on the VM.
- Analyze the context of the command execution, including the time and frequency of the events, to identify any unusual patterns or anomalies.
- Correlate the command execution event with other logs or alerts from the same time period to identify any related suspicious activities or potential lateral movement.
- If unauthorized access is suspected, review the VM's security settings and access controls to identify and mitigate any vulnerabilities or misconfigurations.
False positive analysis
- Routine maintenance tasks executed by IT administrators can trigger the rule. To manage this, create exceptions for known maintenance scripts or scheduled tasks that are regularly executed.
- Automated deployment processes that use PowerShell scripts to configure or update VMs may be flagged. Identify these processes and exclude them from the rule to prevent unnecessary alerts.
- Security tools or monitoring solutions that perform regular checks on VMs might execute commands that are benign. Whitelist these tools by identifying their specific command patterns and excluding them from detection.
- Development and testing environments often involve frequent command executions for testing purposes. Consider excluding these environments from the rule or setting up a separate monitoring policy with adjusted thresholds.
- Ensure that any exclusion or exception is documented and reviewed periodically to maintain security posture and adapt to any changes in the environment or processes.
Response and remediation
- Immediately isolate the affected virtual machine from the network to prevent further unauthorized command execution and potential lateral movement.
- Review the Azure activity logs to identify the source of the command execution and determine if it was authorized or part of a larger attack pattern.
- Revoke any unnecessary permissions from users or roles that have the ability to execute commands on virtual machines, focusing on those with Virtual Machine Contributor roles.
- Conduct a thorough investigation of the executed commands to assess any changes or impacts on the system, and restore the VM to a known good state if necessary.
- Implement additional monitoring and alerting for similar command execution activities, ensuring that any future unauthorized attempts are detected promptly.
- Escalate the incident to the security operations team for further analysis and to determine if additional systems or data may have been compromised.
- Review and update access control policies and role assignments to ensure that only necessary permissions are granted, reducing the risk of similar incidents in the future.
References
Related rules
- Azure Run Command Correlated with Process Execution
- Azure VM Extension Deployment by User
- Azure Run Command Script Child Process
- AWS SSM Session Manager Child Process Execution
- AWS EC2 LOLBin Execution via SSM SendCommand