Azure Compute Restore Point Collection Deleted by Unusual User
The deletion of Azure Restore Point Collections, which contain recovery points for virtual machines, by a user who has not previously performed this activity, indicates a potential attempt to prevent recovery during ransomware attacks or cover tracks during malicious operations.
This detection identifies the deletion of Azure Restore Point Collections by a user who has not previously performed this activity. Restore Point Collections contain recovery points for virtual machines, enabling point-in-time recovery capabilities, and their deletion can severely impact an organization's ability to recover from incidents, making them attractive targets for adversaries. This rule leverages Azure Activity Logs to detect unusual deletion activity, specifically focusing on the "MICROSOFT.COMPUTE/RESTOREPOINTCOLLECTIONS/DELETE" event. The goal is to identify potentially malicious activity, such as ransomware attacks or attempts to cover tracks during malicious operations, targeting Azure environments. The activity logs are analyzed to create a baseline of users deleting Azure restore point collections, and deviations from this baseline are considered anomalous.
Attack Chain
- Initial Access: The attacker gains unauthorized access to an Azure account, potentially through compromised credentials or exploiting a vulnerability.
- Privilege Escalation: The attacker escalates privileges within the Azure environment to gain the necessary permissions to manage and delete Restore Point Collections.
- Discovery: The attacker identifies Restore Point Collections associated with critical virtual machines within the Azure environment.
- Credential Access: The attacker attempts to gain access to additional accounts or credentials stored within the compromised system.
- Impair Defenses: The attacker deletes the Restore Point Collections to inhibit system recovery and prevent restoration of virtual machines to a previous state. The event is logged as "MICROSOFT.COMPUTE/RESTOREPOINTCOLLECTIONS/DELETE" in Azure Activity Logs.
- Impact: The attacker encrypts virtual machines with ransomware, knowing that recovery from backups is hindered due to the deleted Restore Point Collections.
- Cover Tracks: The attacker attempts to delete logs and other evidence of their activity to prevent detection and investigation.
Impact
Successful deletion of Azure Restore Point Collections can severely impact an organization's ability to recover from ransomware attacks or other malicious activities. The loss of these recovery points can lead to extended downtime, data loss, and financial repercussions. The blog post referenced describes STORM-0501 using similar techniques in hybrid cloud environments. The impact may extend across cloud and on-premise systems. The number of affected virtual machines and the criticality of the impacted systems will determine the overall impact.
Recommendation
- Deploy the following Sigma rule to detect unusual deletions of Azure Restore Point Collections and tune it to your environment.
- Review Azure Activity Logs for the event "MICROSOFT.COMPUTE/RESTOREPOINTCOLLECTIONS/DELETE" to investigate potentially malicious deletions.
- Implement the principle of least privilege for Azure account permissions to limit the potential impact of compromised accounts.
- Monitor the
azure.activitylogs.identity.claims_initiated_by_user.nameandazure.resource.groupfields to identify the specific user and resource groups involved in deletion activities. - Investigate any alerts generated by the Sigma rules, following the triage and analysis steps outlined in the rule's note field.
Detection coverage 2
Azure Compute Restore Point Collection Deletion
mediumDetects the deletion of Azure Restore Point Collections.
Azure Compute Restore Point Collection Deletion by Unusual User
mediumDetects the deletion of Azure Restore Point Collections by users not previously associated with this activity
Detection queries are available on the platform. Get full rules →