Detect Cloud Administration Command in Elastic Security
This detection identifies adversaries abusing cloud-native management services — such as AWS Systems Manager (SSM) Run Command, Azure RunCommand, and Azure Automation Runbooks — to remotely execute commands inside virtual machines. Because these mechanisms use legitimate, pre-installed VM agents (SSM Agent, Azure VM Agent), execution is indistinguishable from authorized administrative activity at the OS level. The detection focuses on the cloud control plane: auditing who invoked the run-command API, from what identity/IP, against which VMs, and whether the invocation pattern deviates from baseline administrative behavior. High-severity APT29/Nobelium tradecraft has leveraged Azure Run Command and Admin-on-Behalf-of (AOBO) post-compromise to execute code on tenant VMs without touching traditional lateral movement paths.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1651 Cloud Administration Command
- Canonical reference
- https://attack.mitre.org/techniques/T1651/
Elastic Detection Query
any where event.dataset : "azure.*" and (
event.action : ("Add*", "Update*", "Delete*", "Consent*") and
not user.name : "service-*"
) or (
event.dataset == "azure.signinlogs" and
event.outcome == "success" and
source.as.organization.name : ("Tor*", "VPN*")
)Elastic EQL detection for Cloud Administration Command (T1651). Identifies cloud administration command activity by correlating endpoint telemetry patterns consistent with known adversary techniques.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate IT operations teams using Azure RunCommand for patching, configuration management, or troubleshooting via approved change tickets
- Azure Automation Runbooks configured for scheduled maintenance tasks such as VM shutdowns, certificate rotation, or log collection
- Cloud management platforms (Ansible Tower, HashiCorp Terraform, Azure Arc) that use RunCommand as part of infrastructure-as-code pipelines
Other platforms for T1651
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Azure RunCommand - Execute PowerShell via Azure CLI
Expected signal: AzureActivity log entry with OperationName 'Microsoft.Compute/virtualMachines/runCommand/action', ActivityStatus 'Succeeded', and Caller set to the authenticated user's UPN or service principal object ID. On the VM: SecurityEvent 4688 showing powershell.exe spawned by WindowsAzureGuestAgent.exe.
- Test 2AWS SSM Run Command - Execute Shell Script on EC2 Instance
Expected signal: AWS CloudTrail event with eventName 'SendCommand', eventSource 'ssm.amazonaws.com', requestParameters containing documentName 'AWS-RunShellScript' and target instanceId. On the EC2 instance: /var/log/amazon/ssm/amazon-ssm-agent.log entries showing command receipt and execution.
- Test 3Azure Automation Runbook - Execute Commands via Automation Account
Expected signal: AzureActivity log entries with OperationName 'Microsoft.Automation/automationAccounts/runbooks/write', 'Microsoft.Automation/automationAccounts/jobs/write', and 'Microsoft.Automation/automationAccounts/jobs/read'. Azure Automation job logs in the portal showing execution output.
References (6)
- https://attack.mitre.org/techniques/T1651/
- https://docs.microsoft.com/en-us/azure/virtual-machines/run-command-overview
- https://docs.aws.amazon.com/systems-manager/latest/userguide/execute-remote-commands.html
- https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/
- https://o365blog.com/post/run-command/
- https://github.com/RhinoSecurityLabs/pacu
Unlock Pro Content
Get the full detection package for T1651 including response playbook, investigation guide, and atomic red team tests.