Azure Compute VM Command Execution Detected
Successful execution of commands on Azure Virtual Machines, specifically the MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION operation, may indicate unauthorized activity or lateral movement attempts.
This detection identifies command execution on Azure Virtual Machines (VMs) by monitoring Azure activity logs for the MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION operation. While roles like Virtual Machine Contributor allow managing VMs, they do not inherently grant access. However, adversaries can leverage PowerShell to remotely execute commands on a VM as the SYSTEM user. This rule is triggered upon successful command execution and could indicate malicious activity, particularly if initiated by unexpected users or systems. The rule aims to detect unauthorized command executions, potentially revealing lateral movement or unauthorized access attempts. Originally created in August 2020, this rule was last updated on April 10, 2026.
Attack Chain
- An attacker compromises an Azure account or service principal with Virtual Machine Contributor or similar permissions.
- The attacker authenticates to the Azure environment using the compromised credentials.
- The attacker identifies a target Azure Virtual Machine.
- The attacker utilizes the
RunCommandfeature of the Azure Compute service to execute commands on the target VM. This leverages theMICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTIONoperation. - The command is executed on the VM with SYSTEM privileges.
- The attacker attempts to perform reconnaissance, such as listing directory contents, user accounts, or network configurations.
- The attacker may attempt to move laterally by installing malware, creating new accounts, or modifying system configurations.
- The attacker achieves their objective, such as data exfiltration or establishing persistence within the Azure environment.
Impact
Successful exploitation can lead to unauthorized access to sensitive data, installation of malware, lateral movement within the Azure environment, and potential compromise of other resources. While the specific number of victims and targeted sectors are not provided, the impact on affected organizations includes data breaches, system downtime, and reputational damage. The damage depends on the commands executed and the attacker's ultimate objectives.
Recommendation
- Deploy the Sigma rule
Azure Compute VM Command Executedto your SIEM to detect suspicious command executions (see below). - Review Azure activity logs for the
MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTIONoperation and investigate any unexpected command executions. - Implement least privilege access controls for Azure resources, limiting the ability to execute commands on VMs to only authorized users and service principals.
- Monitor the roles and permissions of users and service principals with Virtual Machine Contributor roles, revoking unnecessary permissions.
- Configure alerting on successful
MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTIONevents to enable rapid incident response. - Correlate command execution events with other security logs to identify potential lateral movement or other suspicious activities.
Detection coverage 2
Azure Compute VM Command Executed
mediumDetects command execution on a virtual machine in Azure via the RunCommand action.
Azure Compute VM Command Execution - PowerShell
highDetects PowerShell command execution on a virtual machine in Azure via the RunCommand action.
Detection queries are available on the platform. Get full rules →