Query Details
RULE 01 GPU Cryptojacking VM New Identity
Query
// Rule : Azure Cryptojacking - High-Compute VM Deployed by New Identity
// Severity: High
// Tactics : Impact
// MITRE : T1496
// Freq : PT6H Period: P14D
//==========================================================================================
let GPUSKUs = dynamic(["Standard_NC", "Standard_NV", "Standard_ND", "Standard_NP", "Standard_HB", "Standard_HC"]);
let KnownAutoPatterns = dynamic(["terraform", "bicep", "pipeline", "github", "pulumi", "devops", "arm-deployment"]);
let PriorGPUDeployers = AzureActivity
| where TimeGenerated between (ago(14d) .. ago(6h))
| where OperationNameValue has_any ("VIRTUALMACHINES/WRITE", "VIRTUALMACHINESCALESETS/WRITE")
| where Properties has_any (GPUSKUs)
| where ActivityStatusValue =~ "Success"
| distinct Caller;
AzureActivity
| where TimeGenerated > ago(6h)
| where ActivityStatusValue =~ "Success"
| where OperationNameValue has_any ("VIRTUALMACHINES/WRITE", "VIRTUALMACHINESCALESETS/WRITE")
| where Properties has_any (GPUSKUs)
| where not(tolower(Caller) has_any (KnownAutoPatterns))
| where isnotempty(CallerIpAddress)
| where CallerIpAddress !startswith "168.63." and CallerIpAddress !startswith "169.254."
| where Caller !in (PriorGPUDeployers)
| summarize
DeploymentCount = count(),
DeployedResources = make_set(ResourceId, 10),
SourceIPs = make_set(CallerIpAddress, 5),
CallerIP = any(CallerIpAddress),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by Caller, ResourceGroup, SubscriptionId
| extend
AccountName = tostring(split(Caller, "@")[0]),
AccountUPNSuffix = tostring(split(Caller, "@")[1])Explanation
This query is designed to detect potential cryptojacking activities in Azure by identifying high-compute virtual machines (VMs) deployed by new identities. Here's a simplified breakdown of what the query does:
-
Define High-Compute VM Types: It starts by listing specific types of high-compute VMs (e.g., GPU-based VMs) that are often targeted for cryptojacking.
-
Exclude Known Automated Deployment Patterns: It identifies patterns associated with automated deployments (like Terraform, GitHub, etc.) to exclude them from being flagged as suspicious.
-
Identify Prior Deployers: It looks back over the past 14 days (excluding the last 6 hours) to find identities that have successfully deployed these high-compute VMs, marking them as known deployers.
-
Detect New Deployments: It then examines the last 6 hours of activity to find successful deployments of high-compute VMs by identities that are not in the list of known deployers and do not match known automated patterns.
-
Filter by IP Address: It ensures that the deployment activity comes from a valid external IP address (not internal Azure IPs).
-
Summarize Suspicious Activity: For each new identity that deployed a high-compute VM, it summarizes the activity, including the number of deployments, the resources deployed, source IPs, and the time range of the activity.
-
Extract Account Information: Finally, it extracts and displays the account name and domain from the caller's email address for further investigation.
The overall goal is to identify and flag potentially unauthorized or suspicious deployments of high-compute VMs that could be used for cryptojacking, focusing on new and unknown identities.
Details
David Alonso
Released: March 12, 2026
Tables
Keywords
Operators