Azure New CloudShell Created

Aug 12, 2024 · attack.execution attack.t1059 ·

Identifies when a new cloudshell is created inside of Azure portal.

Sigma rule (View on GitHub)

 1title: Azure New CloudShell Created
 2id: 72af37e2-ec32-47dc-992b-bc288a2708cb
 3status: test
 4description: Identifies when a new cloudshell is created inside of Azure portal.
 5references:
 6    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 7author: Austin Songer
 8date: 2021-09-21
 9modified: 2022-08-23
10tags:
11    - attack.execution
12    - attack.t1059
13logsource:
14    product: azure
15    service: activitylogs
16detection:
17    selection:
18        operationName: MICROSOFT.PORTAL/CONSOLES/WRITE
19    condition: selection
20falsepositives:
21    - A new cloudshell may be created by a system administrator.
22level: medium

References

Azure permissions - Azure RBAC

Lists the permissions for Azure resource providers.

Read More

Related rules

Abusable DLL Potential Sideloading From Suspicious Location
Add Insecure Download Source To Winget
Add New Download Source To Winget
Atlassian Confluence CVE-2022-26134
BPFDoor Abnormal Process ID or Lock File Accessed

Azure New CloudShell Created

Sigma rule (View on GitHub)

References

Azure permissions - Azure RBAC

Related rules