security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e2c860693c8d59d04e7bbfcda546347187c5a357
sigma-rules/rules/azure/execution_command_virtual_machine.toml
T
Brent Murphy 627610401c [Rule Tuning] Update rules for new Fleet integrations (#729) 
* update azure indicies

* remove . in index to match prior cloud rules

* update o365 indicies

* add event.dataset:google_workspace.admin to existing google workspace rules

* gcp syntax

* add gcp index

* update gcp index

* update index patterns for google workspace rules

* update gcp index2

* update updated_date

* update event outcome for azure

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
2020-12-18 12:23:12 -05:00

57 lines
2.1 KiB
TOML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
[metadata]
creation_date = "2020/08/17"
maturity = "production"
updated_date = "2020/12/15"
[rule]
author = ["Elastic"]
description = """
Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage
virtual machines, but not access them, nor access the virtual network or storage account theyre connected to. However,
commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles
may be able to execute commands on a VM as well.
"""
false_positives = [
"""
Command execution on a virtual machine may be done by a system or network administrator. Verify whether the
username, hostname, and/or resource name should be making changes in your environment. Command execution from
unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted
from the rule.
""",
]
from = "now-25m"
index = ["filebeat-*", "logs-azure*"]
language = "kuery"
license = "Elastic License"
name = "Azure Command Execution on Virtual Machine"
note = "The Azure Filebeat module must be enabled to use this rule."
references = [
"https://adsecurity.org/?p=4277",
"https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
"https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor",
]
risk_score = 47
rule_id = "60884af6-f553-4a6c-af13-300047455491"
severity = "medium"
tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Log Auditing"]
type = "query"
query = '''
event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION and event.outcome:(Success or success)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
Reference in New Issue View Git Blame Copy Permalink