<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Azure Compute - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/azure-compute/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 24 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/azure-compute/feed.xml" rel="self" type="application/rss+xml"/><item><title>Azure Compute VM Command Execution Detected</title><link>https://feed.craftedsignal.io/briefs/2024-01-24-azure-vm-command-execution/</link><pubDate>Wed, 24 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-24-azure-vm-command-execution/</guid><description>Successful execution of commands on Azure Virtual Machines, specifically the MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION operation, may indicate unauthorized activity or lateral movement attempts.</description><content:encoded><![CDATA[<p>This detection identifies command execution on Azure Virtual Machines (VMs) by monitoring Azure activity logs for the <code>MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION</code> operation. While roles like Virtual Machine Contributor allow managing VMs, they do not inherently grant access. However, adversaries can leverage PowerShell to remotely execute commands on a VM as the SYSTEM user. This rule is triggered upon successful command execution and could indicate malicious activity, particularly if initiated by unexpected users or systems. The rule aims to detect unauthorized command executions, potentially revealing lateral movement or unauthorized access attempts. Originally created in August 2020, this rule was last updated on April 10, 2026.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker compromises an Azure account or service principal with Virtual Machine Contributor or similar permissions.</li>
<li>The attacker authenticates to the Azure environment using the compromised credentials.</li>
<li>The attacker identifies a target Azure Virtual Machine.</li>
<li>The attacker utilizes the <code>RunCommand</code> feature of the Azure Compute service to execute commands on the target VM. This leverages the <code>MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION</code> operation.</li>
<li>The command is executed on the VM with SYSTEM privileges.</li>
<li>The attacker attempts to perform reconnaissance, such as listing directory contents, user accounts, or network configurations.</li>
<li>The attacker may attempt to move laterally by installing malware, creating new accounts, or modifying system configurations.</li>
<li>The attacker achieves their objective, such as data exfiltration or establishing persistence within the Azure environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to unauthorized access to sensitive data, installation of malware, lateral movement within the Azure environment, and potential compromise of other resources. While the specific number of victims and targeted sectors are not provided, the impact on affected organizations includes data breaches, system downtime, and reputational damage. The damage depends on the commands executed and the attacker's ultimate objectives.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Azure Compute VM Command Executed</code> to your SIEM to detect suspicious command executions (see below).</li>
<li>Review Azure activity logs for the <code>MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION</code> operation and investigate any unexpected command executions.</li>
<li>Implement least privilege access controls for Azure resources, limiting the ability to execute commands on VMs to only authorized users and service principals.</li>
<li>Monitor the roles and permissions of users and service principals with Virtual Machine Contributor roles, revoking unnecessary permissions.</li>
<li>Configure alerting on successful <code>MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION</code> events to enable rapid incident response.</li>
<li>Correlate command execution events with other security logs to identify potential lateral movement or other suspicious activities.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>azure</category><category>execution</category><category>cloud</category><category>vm</category></item><item><title>Azure Compute Restore Point Collection Deleted by Unusual User</title><link>https://feed.craftedsignal.io/briefs/2024-01-azure-restore-point-deletion/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-azure-restore-point-deletion/</guid><description>The deletion of Azure Restore Point Collections, which contain recovery points for virtual machines, by a user who has not previously performed this activity, indicates a potential attempt to prevent recovery during ransomware attacks or cover tracks during malicious operations.</description><content:encoded><![CDATA[<p>This detection identifies the deletion of Azure Restore Point Collections by a user who has not previously performed this activity. Restore Point Collections contain recovery points for virtual machines, enabling point-in-time recovery capabilities, and their deletion can severely impact an organization's ability to recover from incidents, making them attractive targets for adversaries. This rule leverages Azure Activity Logs to detect unusual deletion activity, specifically focusing on the &quot;MICROSOFT.COMPUTE/RESTOREPOINTCOLLECTIONS/DELETE&quot; event. The goal is to identify potentially malicious activity, such as ransomware attacks or attempts to cover tracks during malicious operations, targeting Azure environments. The activity logs are analyzed to create a baseline of users deleting Azure restore point collections, and deviations from this baseline are considered anomalous.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial Access: The attacker gains unauthorized access to an Azure account, potentially through compromised credentials or exploiting a vulnerability.</li>
<li>Privilege Escalation: The attacker escalates privileges within the Azure environment to gain the necessary permissions to manage and delete Restore Point Collections.</li>
<li>Discovery: The attacker identifies Restore Point Collections associated with critical virtual machines within the Azure environment.</li>
<li>Credential Access: The attacker attempts to gain access to additional accounts or credentials stored within the compromised system.</li>
<li>Impair Defenses: The attacker deletes the Restore Point Collections to inhibit system recovery and prevent restoration of virtual machines to a previous state. The event is logged as &quot;MICROSOFT.COMPUTE/RESTOREPOINTCOLLECTIONS/DELETE&quot; in Azure Activity Logs.</li>
<li>Impact: The attacker encrypts virtual machines with ransomware, knowing that recovery from backups is hindered due to the deleted Restore Point Collections.</li>
<li>Cover Tracks: The attacker attempts to delete logs and other evidence of their activity to prevent detection and investigation.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful deletion of Azure Restore Point Collections can severely impact an organization's ability to recover from ransomware attacks or other malicious activities. The loss of these recovery points can lead to extended downtime, data loss, and financial repercussions. The blog post referenced describes STORM-0501 using similar techniques in hybrid cloud environments. The impact may extend across cloud and on-premise systems. The number of affected virtual machines and the criticality of the impacted systems will determine the overall impact.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the following Sigma rule to detect unusual deletions of Azure Restore Point Collections and tune it to your environment.</li>
<li>Review Azure Activity Logs for the event &quot;MICROSOFT.COMPUTE/RESTOREPOINTCOLLECTIONS/DELETE&quot; to investigate potentially malicious deletions.</li>
<li>Implement the principle of least privilege for Azure account permissions to limit the potential impact of compromised accounts.</li>
<li>Monitor the <code>azure.activitylogs.identity.claims_initiated_by_user.name</code> and <code>azure.resource.group</code> fields to identify the specific user and resource groups involved in deletion activities.</li>
<li>Investigate any alerts generated by the Sigma rules, following the triage and analysis steps outlined in the rule's note field.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>azure</category><category>impact</category></item></channel></rss>