Azure Suspicious Hybrid Machine Run Command Execution

Azure Suspicious Hybrid Machine Run Command Execution

Detection overview

Triggers

  • The Microsoft Entra Identity executing the command does not typically perform Run Commands on Azure hybrid machines, indicating potential malicious activity.
  • The execution of the Run Command is occurring outside of regular business hours.
  • Multiple instances of suspicious Run Command executions are detected within a short timeframe, or Run Commands are being executed anomalously across multiple hybrid machines.

Possible Root Causes

  • Unauthorized Access: An attacker has gained access to a Microsoft Entra Identity and is using it to execute Run Commands on hybrid machines without permission.
  • Misconfigured Permissions: A Microsoft Entra Identity has excessive privileges, allowing them to execute Run Commands on hybrid machines they should not have access to.
  • Human Error: Accidental or unintentional execution of Azure Resource Manager (ARM) commands by a legitimate user.
  • Legitimate Administrative Action: A valid Microsoft Entra Identity is running a script to configure a new hybrid machine for production use, requiring Run Commands with elevated privileges.
  • Automated Deployment: A legitimate application is utilizing Azure�s Run Command feature to automate updates and patches for a hybrid machine or a fleet of hybrid machines.

Business Impact

  • Data loss or corruption due to unauthorized deletions.
  • Security breaches resulting from the exploitation of vulnerabilities or abuse of privileges.
  • Compliance issues due to non-adherence to security policies.
  • Downtime and revenue loss caused by malicious activity.

Steps to Verify

  • Investigate the Microsoft Entra Identity executing the Run Command for any signs of unauthorized access or excessive privileges.
  • Review the user�s or service principal�s permissions and access levels within Azure.
  • Examine the parameters used in the Run Command to identify potential security risks, such as the deletion of sensitive data.
  • Verify if any additional security alerts or notifications were triggered around the time of the suspicious event.
  • Check for any unusual or unexplained changes to Azure resources or services.
  • Consult with Azure administrators, security teams, and relevant stakeholders to determine the cause and scope of the incident.
Azure Suspicious Hybrid Machine Run Command Execution

Possible root causes

Malicious Detection

Benign Detection

Azure Suspicious Hybrid Machine Run Command Execution

Example scenarios

Azure Suspicious Hybrid Machine Run Command Execution

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Suspicious Hybrid Machine Run Command Execution

Steps to investigate

Azure Suspicious Hybrid Machine Run Command Execution

MITRE ATT&CK techniques covered

Azure Suspicious Hybrid Machine Run Command Execution

Related detections

No items found.

FAQs