T1651 IBM QRadar · QRadar

Detect Cloud Administration Command in IBM QRadar

This detection identifies adversaries abusing cloud-native management services — such as AWS Systems Manager (SSM) Run Command, Azure RunCommand, and Azure Automation Runbooks — to remotely execute commands inside virtual machines. Because these mechanisms use legitimate, pre-installed VM agents (SSM Agent, Azure VM Agent), execution is indistinguishable from authorized administrative activity at the OS level. The detection focuses on the cloud control plane: auditing who invoked the run-command API, from what identity/IP, against which VMs, and whether the invocation pattern deviates from baseline administrative behavior. High-severity APT29/Nobelium tradecraft has leveraged Azure Run Command and Admin-on-Behalf-of (AOBO) post-compromise to execute code on tenant VMs without touching traditional lateral movement paths.

MITRE ATT&CK

Tactic
Execution
Technique
T1651 Cloud Administration Command
Canonical reference
https://attack.mitre.org/techniques/T1651/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    sourceip AS SourceIP,
    "CommandLine" AS CommandLine,
    CASE
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        WHEN "CommandLine" ILIKE '%-enc%' THEN 80
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS
high severity medium confidence

IBM QRadar AQL detection for Cloud Administration Command (T1651). Queries QRadar event pipeline for indicators consistent with cloud administration command adversary techniques using MITRE ATT&CK-aligned event categorization.

Data Sources

IBM QRadar SIEMWindows Security EventsEndpoint Agent

Required Tables

events

False Positives & Tuning

  • Legitimate IT operations teams using Azure RunCommand for patching, configuration management, or troubleshooting via approved change tickets
  • Azure Automation Runbooks configured for scheduled maintenance tasks such as VM shutdowns, certificate rotation, or log collection
  • Cloud management platforms (Ansible Tower, HashiCorp Terraform, Azure Arc) that use RunCommand as part of infrastructure-as-code pipelines
Download portable Sigma rule (.yml)

Other platforms for T1651

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Azure RunCommand - Execute PowerShell via Azure CLI

    Expected signal: AzureActivity log entry with OperationName 'Microsoft.Compute/virtualMachines/runCommand/action', ActivityStatus 'Succeeded', and Caller set to the authenticated user's UPN or service principal object ID. On the VM: SecurityEvent 4688 showing powershell.exe spawned by WindowsAzureGuestAgent.exe.

  2. Test 2AWS SSM Run Command - Execute Shell Script on EC2 Instance

    Expected signal: AWS CloudTrail event with eventName 'SendCommand', eventSource 'ssm.amazonaws.com', requestParameters containing documentName 'AWS-RunShellScript' and target instanceId. On the EC2 instance: /var/log/amazon/ssm/amazon-ssm-agent.log entries showing command receipt and execution.

  3. Test 3Azure Automation Runbook - Execute Commands via Automation Account

    Expected signal: AzureActivity log entries with OperationName 'Microsoft.Automation/automationAccounts/runbooks/write', 'Microsoft.Automation/automationAccounts/jobs/write', and 'Microsoft.Automation/automationAccounts/jobs/read'. Azure Automation job logs in the portal showing execution output.

Last updated: 2026-03-20 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1651 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1059.007JavaScriptT1047Windows Management InstrumentationT1053.007Container Orchestration JobT1199Trusted RelationshipT1078.004Cloud AccountsT1204.002Malicious FileT1053.005Scheduled TaskT1129Shared Modules

Same Tactic: Execution

Popular Detections