security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e2c860693c8d59d04e7bbfcda546347187c5a357
sigma-rules/rules/azure/execution_command_virtual_machine.toml
T

57 lines
2.1 KiB
TOML
Raw Normal View History

[New Rule] Azure Command Execution on Virtual Machine (#155)
2020-09-03 17:09:40 -04:00
[metadata]
creation_date = "2020/08/17"
maturity = "production"
[Rule Tuning] Update rules for new Fleet integrations (#729)
2020-12-18 12:23:12 -05:00
updated_date = "2020/12/15"
[New Rule] Azure Command Execution on Virtual Machine (#155)
2020-09-03 17:09:40 -04:00
[rule]
author = ["Elastic"]
description = """
Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-24 01:03:29 -05:00
virtual machines, but not access them, nor access the virtual network or storage account theyre connected to. However,
commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles
may be able to execute commands on a VM as well.
[New Rule] Azure Command Execution on Virtual Machine (#155)
2020-09-03 17:09:40 -04:00
"""
false_positives = [
"""
Command execution on a virtual machine may be done by a system or network administrator. Verify whether the
username, hostname, and/or resource name should be making changes in your environment. Command execution from
unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted
from the rule.
""",
]
from = "now-25m"
[Rule Tuning] Update rules for new Fleet integrations (#729)
2020-12-18 12:23:12 -05:00
index = ["filebeat-*", "logs-azure*"]
[New Rule] Azure Command Execution on Virtual Machine (#155)
2020-09-03 17:09:40 -04:00
language = "kuery"
license = "Elastic License"
name = "Azure Command Execution on Virtual Machine"
note = "The Azure Filebeat module must be enabled to use this rule."
references = [
"https://adsecurity.org/?p=4277",
"https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
"https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor",
]
risk_score = 47
rule_id = "60884af6-f553-4a6c-af13-300047455491"
severity = "medium"
[Rule Tuning] Tag Categorization Updates (#380)
2020-10-26 13:50:45 -05:00
tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Log Auditing"]
[New Rule] Azure Command Execution on Virtual Machine (#155)
2020-09-03 17:09:40 -04:00
type = "query"
query = '''
[Rule Tuning] Update rules for new Fleet integrations (#729)
2020-12-18 12:23:12 -05:00
event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION and event.outcome:(Success or success)
[New Rule] Azure Command Execution on Virtual Machine (#155)
2020-09-03 17:09:40 -04:00
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
Refresh ATT&CK data to v7.2 and expand threat validation (#330)
2020-09-24 01:03:29 -05:00
name = "Command and Scripting Interpreter"
[New Rule] Azure Command Execution on Virtual Machine (#155)
2020-09-03 17:09:40 -04:00
reference = "https://attack.mitre.org/techniques/T1059/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
Reference in New Issue Copy Permalink