Azure Suspicious Hybrid Machine Run Command Execution

Triggers

• The Microsoft Entra Identity executing the command does not typically perform Run Commands on Azure hybrid machines, indicating potential malicious activity.
• The execution of the Run Command is occurring outside of regular business hours.
• Multiple instances of suspicious Run Command executions are detected within a short timeframe, or Run Commands are being executed anomalously across multiple hybrid machines.

Possible Root Causes

• Unauthorized Access: An attacker has gained access to a Microsoft Entra Identity and is using it to execute Run Commands on hybrid machines without permission.
• Misconfigured Permissions: A Microsoft Entra Identity has excessive privileges, allowing them to execute Run Commands on hybrid machines they should not have access to.
• Human Error: Accidental or unintentional execution of Azure Resource Manager (ARM) commands by a legitimate user.
• Legitimate Administrative Action: A valid Microsoft Entra Identity is running a script to configure a new hybrid machine for production use, requiring Run Commands with elevated privileges.
• Automated Deployment: A legitimate application is utilizing Azure�s Run Command feature to automate updates and patches for a hybrid machine or a fleet of hybrid machines.

Business Impact

• Data loss or corruption due to unauthorized deletions.
• Security breaches resulting from the exploitation of vulnerabilities or abuse of privileges.
• Compliance issues due to non-adherence to security policies.
• Downtime and revenue loss caused by malicious activity.

Steps to Verify

• Investigate the Microsoft Entra Identity executing the Run Command for any signs of unauthorized access or excessive privileges.
• Review the user�s or service principal�s permissions and access levels within Azure.
• Examine the parameters used in the Run Command to identify potential security risks, such as the deletion of sensitive data.
• Verify if any additional security alerts or notifications were triggered around the time of the suspicious event.
• Check for any unusual or unexplained changes to Azure resources or services.
• Consult with Azure administrators, security teams, and relevant stakeholders to determine the cause and scope of the incident.