Rule of the Week: Command Execution on Azure VM

In the Rule of the Week section, we present you the Command Execution on Azure VM (via azureactivity) rule by SOC Prime Team: https://tdm.socprime.com/tdm/info/A5uYMlcWOmeq/RYxlfnIB1-hfOQirCXZy/?p=1#

  Adversaries can misuse Azure VM functionality to establish a foothold in an environment, which could be used to persist access and escalate privileges. They can exploit the Run Command feature that uses the virtual machine (VM) agent to run PowerShell scripts within an Azure Windows VM. The exploitation of this feature allows executing commands even when the VM is unreachable (e.g. if the RDP or SSH ports are closed) through the Azure Portal, REST API, Azure CLI, or PowerShell. 

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Sumo Logic, ELK Stack, RSA NetWitness,

EDR: Elastic Endpoint

 

MITRE ATT&CK: 

Tactics: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion

Techniques: Command-Line Interface (T1059), Redundant Access (T1108), Valid Accounts (T1078)

 

Command Execution on Azure VM (via azureactivity) rule covers three MITRE ATT&CK techniques. To successfully perform this attack on the Azure infrastructure and run commands, hackers need access to a domain account. We want to offer a list of content available on Threat Detection Marketplace that will help you discover attempts to steal credentials.

Harvesting Credentials from Windows Credential Manager (via cmdline): https://tdm.socprime.com/tdm/info/41LYkTLe4g4a/iSGyYHIBjwDfaYjKFbEf/

VPN Security Monitor Rule pack: https://my.socprime.com/en/integrations/vpn-security-monitor

Security Monitoring for Office365 SaaS Platform Rule Pack: https://my.socprime.com/en/integrations/security-monitoring-for-office365-saas-platform-ala

Password Security Rule Pack: https://my.socprime.com/en/integrations/password-security-sentinel

Brute Force Detection Rule Pack: https://my.socprime.com/en/integrations/brute-force-detection