IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Azure Blob Container Access Level Modification Azure Service Principal Credentials Added »

› ›

Azure Command Execution on Virtual Machine

edit

Azure Command Execution on Virtual Machine

edit

Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage virtual machines, but does not allow accessing them or the virtual network or storage account they’re connected to. However, commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles, may be able to execute commands on a VM as well.

Rule type: query

Rule indices:

filebeat-*
logs-azure*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Elastic
Cloud
Azure
Continuous Monitoring
SecOps
Log Auditing

Version: 8

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

## Setup

The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

Rule query

edit

event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" and event.outcome:(Success or success)

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
Technique:
- Name: Command and Scripting Interpreter
- ID: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/

« Azure Blob Container Access Level Modification Azure Service Principal Credentials Added »