{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/azure-compute/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Virtual Machines","Azure Compute"],"_cs_severities":["medium"],"_cs_tags":["azure","execution","cloud","vm"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies command execution on Azure Virtual Machines (VMs) by monitoring Azure activity logs for the \u003ccode\u003eMICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\u003c/code\u003e operation. While roles like Virtual Machine Contributor allow managing VMs, they do not inherently grant access. However, adversaries can leverage PowerShell to remotely execute commands on a VM as the SYSTEM user. This rule is triggered upon successful command execution and could indicate malicious activity, particularly if initiated by unexpected users or systems. The rule aims to detect unauthorized command executions, potentially revealing lateral movement or unauthorized access attempts. Originally created in August 2020, this rule was last updated on April 10, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises an Azure account or service principal with Virtual Machine Contributor or similar permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Azure environment using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target Azure Virtual Machine.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes the \u003ccode\u003eRunCommand\u003c/code\u003e feature of the Azure Compute service to execute commands on the target VM. This leverages the \u003ccode\u003eMICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\u003c/code\u003e operation.\u003c/li\u003e\n\u003cli\u003eThe command is executed on the VM with SYSTEM privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to perform reconnaissance, such as listing directory contents, user accounts, or network configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to move laterally by installing malware, creating new accounts, or modifying system configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or establishing persistence within the Azure environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data, installation of malware, lateral movement within the Azure environment, and potential compromise of other resources. While the specific number of victims and targeted sectors are not provided, the impact on affected organizations includes data breaches, system downtime, and reputational damage. The damage depends on the commands executed and the attacker's ultimate objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAzure Compute VM Command Executed\u003c/code\u003e to your SIEM to detect suspicious command executions (see below).\u003c/li\u003e\n\u003cli\u003eReview Azure activity logs for the \u003ccode\u003eMICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\u003c/code\u003e operation and investigate any unexpected command executions.\u003c/li\u003e\n\u003cli\u003eImplement least privilege access controls for Azure resources, limiting the ability to execute commands on VMs to only authorized users and service principals.\u003c/li\u003e\n\u003cli\u003eMonitor the roles and permissions of users and service principals with Virtual Machine Contributor roles, revoking unnecessary permissions.\u003c/li\u003e\n\u003cli\u003eConfigure alerting on successful \u003ccode\u003eMICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\u003c/code\u003e events to enable rapid incident response.\u003c/li\u003e\n\u003cli\u003eCorrelate command execution events with other security logs to identify potential lateral movement or other suspicious activities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-24-azure-vm-command-execution/","summary":"Successful execution of commands on Azure Virtual Machines, specifically the MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION operation, may indicate unauthorized activity or lateral movement attempts.","title":"Azure Compute VM Command Execution Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-24-azure-vm-command-execution/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Compute"],"_cs_severities":["medium"],"_cs_tags":["cloud","azure","impact"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies the deletion of Azure Restore Point Collections by a user who has not previously performed this activity. Restore Point Collections contain recovery points for virtual machines, enabling point-in-time recovery capabilities, and their deletion can severely impact an organization's ability to recover from incidents, making them attractive targets for adversaries. This rule leverages Azure Activity Logs to detect unusual deletion activity, specifically focusing on the \u0026quot;MICROSOFT.COMPUTE/RESTOREPOINTCOLLECTIONS/DELETE\u0026quot; event. The goal is to identify potentially malicious activity, such as ransomware attacks or attempts to cover tracks during malicious operations, targeting Azure environments. The activity logs are analyzed to create a baseline of users deleting Azure restore point collections, and deviations from this baseline are considered anomalous.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains unauthorized access to an Azure account, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges within the Azure environment to gain the necessary permissions to manage and delete Restore Point Collections.\u003c/li\u003e\n\u003cli\u003eDiscovery: The attacker identifies Restore Point Collections associated with critical virtual machines within the Azure environment.\u003c/li\u003e\n\u003cli\u003eCredential Access: The attacker attempts to gain access to additional accounts or credentials stored within the compromised system.\u003c/li\u003e\n\u003cli\u003eImpair Defenses: The attacker deletes the Restore Point Collections to inhibit system recovery and prevent restoration of virtual machines to a previous state. The event is logged as \u0026quot;MICROSOFT.COMPUTE/RESTOREPOINTCOLLECTIONS/DELETE\u0026quot; in Azure Activity Logs.\u003c/li\u003e\n\u003cli\u003eImpact: The attacker encrypts virtual machines with ransomware, knowing that recovery from backups is hindered due to the deleted Restore Point Collections.\u003c/li\u003e\n\u003cli\u003eCover Tracks: The attacker attempts to delete logs and other evidence of their activity to prevent detection and investigation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of Azure Restore Point Collections can severely impact an organization's ability to recover from ransomware attacks or other malicious activities. The loss of these recovery points can lead to extended downtime, data loss, and financial repercussions. The blog post referenced describes STORM-0501 using similar techniques in hybrid cloud environments. The impact may extend across cloud and on-premise systems. The number of affected virtual machines and the criticality of the impacted systems will determine the overall impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect unusual deletions of Azure Restore Point Collections and tune it to your environment.\u003c/li\u003e\n\u003cli\u003eReview Azure Activity Logs for the event \u0026quot;MICROSOFT.COMPUTE/RESTOREPOINTCOLLECTIONS/DELETE\u0026quot; to investigate potentially malicious deletions.\u003c/li\u003e\n\u003cli\u003eImplement the principle of least privilege for Azure account permissions to limit the potential impact of compromised accounts.\u003c/li\u003e\n\u003cli\u003eMonitor the \u003ccode\u003eazure.activitylogs.identity.claims_initiated_by_user.name\u003c/code\u003e and \u003ccode\u003eazure.resource.group\u003c/code\u003e fields to identify the specific user and resource groups involved in deletion activities.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, following the triage and analysis steps outlined in the rule's note field.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-azure-restore-point-deletion/","summary":"The deletion of Azure Restore Point Collections, which contain recovery points for virtual machines, by a user who has not previously performed this activity, indicates a potential attempt to prevent recovery during ransomware attacks or cover tracks during malicious operations.","title":"Azure Compute Restore Point Collection Deleted by Unusual User","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-restore-point-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - Azure Compute","version":"https://jsonfeed.org/version/1.1"}