KQL Search

Query Details

HomeAI ToolsDevice Query

Azure Vm Run Command Or Custom Script Execution Detected

Query

id: 5354125d-37a5-41d2-b065-2ea38194a51d
name: Azure VM Run Command or Custom Script execution detected
version: 1.0.0
kind: Scheduled
description: A user has either initiated a Azure VM Run Command or Custom Script execution
severity: Medium
queryFrequency: 30m
queryPeriod: 35m
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Execution
  - LateralMovement
relevantTechniques:
  - T1059
query: |-
  AzureActivity 
  | where CategoryValue == "Administrative"
  | where OperationNameValue =~ "Microsoft.Compute/virtualMachines/runCommand/action"
  | extend VMName = tostring(todynamic(Properties).resource)
  | summarize make_list(ActivityStatusValue), TimeGenerated = max(TimeGenerated) by CorrelationId, CallerIpAddress, Caller, ResourceGroup, VMName
suppressionEnabled: false
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    reopenClosedIncident: false
    lookbackDuration: 5h
    matchingMethod: AllEntities
    groupByEntities: []
    groupByAlertDetails: []
    groupByCustomDetails: []
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: AadUserId
        columnName: Caller
  - entityType: Host
    fieldMappings:
      - identifier: HostName
        columnName: VMName
suppressionDuration: 5h

Explanation

This query is used to detect when a user initiates an Azure VM Run Command or Custom Script execution. It looks for Azure activity events with the category "Administrative" and the operation name "Microsoft.Compute/virtualMachines/runCommand/action". It then summarizes the results by correlation ID, caller IP address, caller, resource group, and VM name. The query is scheduled to run every 30 minutes and has a query period of 35 minutes. The severity of the detection is medium. Incidents are created for each detection, and there is no incident grouping or suppression enabled. The query does not group events by any specific entities.

Details

Fabian Bader profile picture

Fabian Bader

Released: July 25, 2023

Tables

AzureActivity

Keywords

AzureActivity,CategoryValue,OperationNameValue,Microsoft.Compute/virtualMachines/runCommand/action,Properties,resource,ActivityStatusValue,TimeGenerated,CorrelationId,CallerIpAddress,Caller,ResourceGroup,VMName

Operators

|===~extendsummarizewheretodynamicmaxbymake_list

Actions