The Microsoft Entra Identity executing the command does not typically perform Run Commands on Azure hybrid machines, indicating potential malicious activity.
The execution of the Run Command is occurring outside of regular business hours.
Multiple instances of suspicious Run Command executions are detected within a short timeframe, or Run Commands are being executed anomalously across multiple hybrid machines.
Possible Root Causes
Unauthorized Access: An attacker has gained access to a Microsoft Entra Identity and is using it to execute Run Commands on hybrid machines without permission.
Misconfigured Permissions: A Microsoft Entra Identity has excessive privileges, allowing them to execute Run Commands on hybrid machines they should not have access to.
Human Error: Accidental or unintentional execution of Azure Resource Manager (ARM) commands by a legitimate user.
Legitimate Administrative Action: A valid Microsoft Entra Identity is running a script to configure a new hybrid machine for production use, requiring Run Commands with elevated privileges.
Automated Deployment: A legitimate application is utilizing Azure�s Run Command feature to automate updates and patches for a hybrid machine or a fleet of hybrid machines.
Business Impact
Data loss or corruption due to unauthorized deletions.
Security breaches resulting from the exploitation of vulnerabilities or abuse of privileges.
Compliance issues due to non-adherence to security policies.
Downtime and revenue loss caused by malicious activity.
Steps to Verify
Investigate the Microsoft Entra Identity executing the Run Command for any signs of unauthorized access or excessive privileges.
Review the user�s or service principal�s permissions and access levels within Azure.
Examine the parameters used in the Run Command to identify potential security risks, such as the deletion of sensitive data.
Verify if any additional security alerts or notifications were triggered around the time of the suspicious event.
Check for any unusual or unexplained changes to Azure resources or services.
Consult with Azure administrators, security teams, and relevant stakeholders to determine the cause and scope of the incident.
Azure Suspicious Hybrid Machine Run Command Execution
Possible root causes
Malicious Detection
Benign Detection
Azure Suspicious Hybrid Machine Run Command Execution
Example scenarios
Azure Suspicious Hybrid Machine Run Command Execution
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Azure Suspicious Hybrid Machine Run Command Execution
Steps to investigate
Azure Suspicious Hybrid Machine Run Command Execution
Azure Suspicious Hybrid Machine Run Command Execution
Related detections
No items found.
See our detections in action
Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.
Don't just read about the possibilities – experience them.