Azure New CloudShell Created

Oct 17, 2023 · attack.execution attack.t1059 ·

Identifies when a new cloudshell is created inside of Azure portal.

Sigma rule (View on GitHub)

 1title: Azure New CloudShell Created
 2id: 72af37e2-ec32-47dc-992b-bc288a2708cb
 3status: test
 4description: Identifies when a new cloudshell is created inside of Azure portal.
 5references:
 6    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 7author: Austin Songer
 8date: 2021/09/21
 9modified: 2022/08/23
10tags:
11    - attack.execution
12    - attack.t1059
13logsource:
14    product: azure
15    service: activitylogs
16detection:
17    selection:
18        operationName: MICROSOFT.PORTAL/CONSOLES/WRITE
19    condition: selection
20falsepositives:
21    - A new cloudshell may be created by a system administrator.
22level: medium

References

Azure permissions - Azure RBAC

Lists the permissions for Azure resource providers.

Read More

Related rules

Atlassian Confluence CVE-2022-26134
BPFDoor Abnormal Process ID or Lock File Accessed
Parent in Public Folder Suspicious Process
Payload Decoded and Decrypted via Built-in Utilities
Python Spawning Pretty TTY on Windows

Azure New CloudShell Created

Sigma rule (View on GitHub)

References

Azure permissions - Azure RBAC

Related rules