In the Rule of the Week section, we present you the Command Execution on Azure VM (via azureactivity) rule by SOC Prime Team:

  Adversaries can misuse Azure VM functionality to establish a foothold in an environment, which could be used to persist access and escalate privileges. They can exploit the Run Command feature that uses the virtual machine (VM) agent to run PowerShell scripts within an Azure Windows VM. The exploitation of this feature allows executing commands even when the VM is unreachable (e.g. if the RDP or SSH ports are closed) through the Azure Portal, REST API, Azure CLI, or PowerShell. 

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Sumo Logic, ELK Stack, RSA NetWitness,

EDR: Elastic Endpoint



Tactics: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion

Techniques: Command-Line Interface (T1059), Redundant Access (T1108), Valid Accounts (T1078)


Command Execution on Azure VM (via azureactivity) rule covers three MITRE ATT&CK techniques. To successfully perform this attack on the Azure infrastructure and run commands, hackers need access to a domain account. We want to offer a list of content available on Threat Detection Marketplace that will help you discover attempts to steal credentials.

Harvesting Credentials from Windows Credential Manager (via cmdline):

VPN Security Monitor Rule pack:

Security Monitoring for Office365 SaaS Platform Rule Pack:

Password Security Rule Pack:

Brute Force Detection Rule Pack:

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts