T1651 Cloud Administration Command Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detection 1: Azure RunCommand invocations via AzureActivity
let SuspiciousRunCommandOps = AzureActivity
| where TimeGenerated >= ago(24h)
| where OperationNameValue has_any (
    "MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION",
    "Microsoft.Compute/virtualMachines/runCommand/action"
)
| where ActivityStatusValue in ("Success", "Accepted", "Started")
| extend CallerIdentity = Caller
| extend VMName = tostring(split(ResourceId, "/")[8])
| extend ResourceGroupName = ResourceGroup
| extend SourceIP = CallerIpAddress
| project
    TimeGenerated,
    CallerIdentity,
    SourceIP,
    VMName,
    ResourceGroupName,
    SubscriptionId,
    OperationNameValue,
    ActivityStatusValue,
    Properties
;
// Detection 2: Azure Automation Runbook execution
let RunbookOps = AzureActivity
| where TimeGenerated >= ago(24h)
| where OperationNameValue has_any (
    "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/JOBS/WRITE",
    "Microsoft.Automation/automationAccounts/jobs/write",
    "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/TESTJOB/WRITE"
)
| where ActivityStatusValue in ("Success", "Accepted")
| extend CallerIdentity = Caller
| extend AutomationAccount = tostring(split(ResourceId, "/")[8])
| project
    TimeGenerated,
    CallerIdentity,
    SourceIP = CallerIpAddress,
    AutomationAccount,
    ResourceGroup,
    SubscriptionId,
    OperationNameValue,
    ActivityStatusValue
;
SuspiciousRunCommandOps
| union RunbookOps
| order by TimeGenerated desc

high severity medium confidence

Data Sources

Azure Monitor Azure Activity Logs Microsoft Sentinel

Required Tables

AzureActivity

False Positives

Legitimate IT operations teams using Azure RunCommand for patching, configuration management, or troubleshooting via approved change tickets
Azure Automation Runbooks configured for scheduled maintenance tasks such as VM shutdowns, certificate rotation, or log collection
Cloud management platforms (Ansible Tower, HashiCorp Terraform, Azure Arc) that use RunCommand as part of infrastructure-as-code pipelines
Security tooling or EDR agents that use RunCommand to push policy updates or perform remediation actions on endpoints
Azure Monitor or Log Analytics agent extensions that periodically use VM management APIs for health reporting

Splunk

spl

// Azure RunCommand via Azure Activity Logs in Splunk
index=* (sourcetype="azure:activity" OR sourcetype="azure:audit" OR sourcetype="mscs:azure:activity")
| eval operation_lower=lower(operationName)
| search operation_lower IN (
    "microsoft.compute/virtualmachines/runcommand/action",
    "microsoft.automation/automationaccounts/jobs/write",
    "microsoft.compute/virtualmachines/extensions/write"
  )
| eval result_status=coalesce(resultType, status)
| search result_status IN ("Success", "Accepted", "Started")
| eval vm_name=mvindex(split(resourceId, "/"), 8)
| eval resource_group=resourceGroup
| eval caller_identity=coalesce(caller, claims.upn, properties.principalOid)
| eval source_ip=callerIpAddress
| eval subscription_id=subscriptionId
| eval event_time=strftime(_time, "%Y-%m-%dT%H:%M:%SZ")
| stats
    count AS invocation_count,
    values(vm_name) AS targeted_vms,
    values(source_ip) AS source_ips,
    earliest(_time) AS first_seen,
    latest(_time) AS last_seen
    BY caller_identity, resource_group, subscription_id, operation_lower
| eval duration_seconds=last_seen - first_seen
| eval multi_vm_targeting=if(mvcount(targeted_vms) > 3, "TRUE", "FALSE")
| table event_time, caller_identity, source_ips, targeted_vms, resource_group, subscription_id, operation_lower, invocation_count, multi_vm_targeting, first_seen, last_seen
| sort - invocation_count

high severity medium confidence

Data Sources

Azure Activity Logs Splunk

Required Sourcetypes

azure:activity azure:audit mscs:azure:activity

False Positives

Automated patching pipelines that invoke RunCommand across all VMs in a subscription during maintenance windows
Azure DevOps release pipelines that use RunCommand to deploy application artifacts to multiple VMs simultaneously
Monitoring solutions that periodically run diagnostic scripts on all VMs to collect health metrics
Security baselines or CIS compliance scripts executed by cloud security teams across an entire VM fleet

Elastic Security (EQL)

eql

any where event.dataset : "azure.*" and (
  event.action : ("Add*", "Update*", "Delete*", "Consent*") and
  not user.name : "service-*"
) or (
  event.dataset == "azure.signinlogs" and
  event.outcome == "success" and
  source.as.organization.name : ("Tor*", "VPN*")
)

high severity medium confidence

Data Sources

Azure Active Directory Elastic Azure Integration

Required Tables

logs-azure.auditlogs-* logs-azure.signinlogs-*

False Positives

Legitimate IT operations teams using Azure RunCommand for patching, configuration management, or troubleshooting via approved change tickets
Azure Automation Runbooks configured for scheduled maintenance tasks such as VM shutdowns, certificate rotation, or log collection
Cloud management platforms (Ansible Tower, HashiCorp Terraform, Azure Arc) that use RunCommand as part of infrastructure-as-code pipelines

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    sourceip AS SourceIP,
    "CommandLine" AS CommandLine,
    CASE
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        WHEN "CommandLine" ILIKE '%-enc%' THEN 80
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Events Endpoint Agent

Required Tables

events

False Positives

Legitimate IT operations teams using Azure RunCommand for patching, configuration management, or troubleshooting via approved change tickets
Azure Automation Runbooks configured for scheduled maintenance tasks such as VM shutdowns, certificate rotation, or log collection
Cloud management platforms (Ansible Tower, HashiCorp Terraform, Azure Arc) that use RunCommand as part of infrastructure-as-code pipelines

Sumo Logic CSE

sql

_sourceCategory=windows/* OR _sourceCategory=endpoint/*
| json auto
| where process_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| where process_cmdline matches /(-enc|-bypass|-hidden)/i
| if(process_cmdline matches /-enc/i, 80, 60) as risk_score
| where risk_score >= 60
| count by host, user, process_name, process_cmdline, risk_score
| sort - risk_score

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Logs Endpoint Telemetry

Required Tables

_sourceCategory=windows/* OR _sourceCategory=endpoint/*

False Positives

Legitimate IT operations teams using Azure RunCommand for patching, configuration management, or troubleshooting via approved change tickets
Azure Automation Runbooks configured for scheduled maintenance tasks such as VM shutdowns, certificate rotation, or log collection
Cloud management platforms (Ansible Tower, HashiCorp Terraform, Azure Arc) that use RunCommand as part of infrastructure-as-code pipelines

Google Chronicle / SecOps

yaral

rule detection_t1651 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects Cloud Administration Command - T1651"
    severity = "HIGH"
    mitre_attack = "T1651"
    reference = "https://attack.mitre.org/techniques/T1651/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.file.full_path = $process_path
    $e.target.process.command_line = $cmdline
    re.regex($e.target.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript)\.exe$`) and
    re.regex($e.target.process.command_line, `(?i)(-enc|-bypass|invoke-expression)`)
    not re.regex($e.principal.process.file.full_path, `(?i)(trustedinstaller|msiexec)`)

  condition:
    $e
}

high severity medium confidence

Data Sources

EDR Platform

Required Tables

PROCESS_LAUNCH

False Positives

Legitimate IT operations teams using Azure RunCommand for patching, configuration management, or troubleshooting via approved change tickets
Azure Automation Runbooks configured for scheduled maintenance tasks such as VM shutdowns, certificate rotation, or log collection
Cloud management platforms (Ansible Tower, HashiCorp Terraform, Azure Arc) that use RunCommand as part of infrastructure-as-code pipelines

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(powershell|cmd|wscript|cscript|mshta)\.exe$/
| CommandLine = /(?i)(-enc|-bypass|invoke-expression)/
| case {
    CommandLine = /(?i)-enc/ | DetectionType := "EncodedCommand" ;
    CommandLine = /(?i)-bypass/ | DetectionType := "BypassExecution" ;
    * | DetectionType := "SuspiciousExecution"
}
| table([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType, ProcessId])
| sort(@timestamp, order=desc, limit=100)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection

Required Tables

ProcessRollup2

False Positives

Legitimate IT operations teams using Azure RunCommand for patching, configuration management, or troubleshooting via approved change tickets
Azure Automation Runbooks configured for scheduled maintenance tasks such as VM shutdowns, certificate rotation, or log collection
Cloud management platforms (Ansible Tower, HashiCorp Terraform, Azure Arc) that use RunCommand as part of infrastructure-as-code pipelines

Cloud Administration Command

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Execution

Popular Detections