T1651 Microsoft Sentinel · KQL

Detect Cloud Administration Command in Microsoft Sentinel

This detection identifies adversaries abusing cloud-native management services — such as AWS Systems Manager (SSM) Run Command, Azure RunCommand, and Azure Automation Runbooks — to remotely execute commands inside virtual machines. Because these mechanisms use legitimate, pre-installed VM agents (SSM Agent, Azure VM Agent), execution is indistinguishable from authorized administrative activity at the OS level. The detection focuses on the cloud control plane: auditing who invoked the run-command API, from what identity/IP, against which VMs, and whether the invocation pattern deviates from baseline administrative behavior. High-severity APT29/Nobelium tradecraft has leveraged Azure Run Command and Admin-on-Behalf-of (AOBO) post-compromise to execute code on tenant VMs without touching traditional lateral movement paths.

MITRE ATT&CK

Tactic
Execution
Technique
T1651 Cloud Administration Command
Canonical reference
https://attack.mitre.org/techniques/T1651/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// Detection 1: Azure RunCommand invocations via AzureActivity
let SuspiciousRunCommandOps = AzureActivity
| where TimeGenerated >= ago(24h)
| where OperationNameValue has_any (
    "MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION",
    "Microsoft.Compute/virtualMachines/runCommand/action"
)
| where ActivityStatusValue in ("Success", "Accepted", "Started")
| extend CallerIdentity = Caller
| extend VMName = tostring(split(ResourceId, "/")[8])
| extend ResourceGroupName = ResourceGroup
| extend SourceIP = CallerIpAddress
| project
    TimeGenerated,
    CallerIdentity,
    SourceIP,
    VMName,
    ResourceGroupName,
    SubscriptionId,
    OperationNameValue,
    ActivityStatusValue,
    Properties
;
// Detection 2: Azure Automation Runbook execution
let RunbookOps = AzureActivity
| where TimeGenerated >= ago(24h)
| where OperationNameValue has_any (
    "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/JOBS/WRITE",
    "Microsoft.Automation/automationAccounts/jobs/write",
    "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/TESTJOB/WRITE"
)
| where ActivityStatusValue in ("Success", "Accepted")
| extend CallerIdentity = Caller
| extend AutomationAccount = tostring(split(ResourceId, "/")[8])
| project
    TimeGenerated,
    CallerIdentity,
    SourceIP = CallerIpAddress,
    AutomationAccount,
    ResourceGroup,
    SubscriptionId,
    OperationNameValue,
    ActivityStatusValue
;
SuspiciousRunCommandOps
| union RunbookOps
| order by TimeGenerated desc
high severity medium confidence

Detects Azure RunCommand and Azure Automation Runbook invocations via the AzureActivity log. Monitors for the specific operation names used when an identity (user, service principal, or delegated admin) calls the RunCommand API on a VM or submits an Automation job. Alerts on both successful and in-progress invocations to capture the earliest signal. A secondary union covers Runbook job creation which can achieve the same code execution outcome as RunCommand.

Data Sources

Azure MonitorAzure Activity LogsMicrosoft Sentinel

Required Tables

AzureActivity

False Positives & Tuning

  • Legitimate IT operations teams using Azure RunCommand for patching, configuration management, or troubleshooting via approved change tickets
  • Azure Automation Runbooks configured for scheduled maintenance tasks such as VM shutdowns, certificate rotation, or log collection
  • Cloud management platforms (Ansible Tower, HashiCorp Terraform, Azure Arc) that use RunCommand as part of infrastructure-as-code pipelines
  • Security tooling or EDR agents that use RunCommand to push policy updates or perform remediation actions on endpoints
  • Azure Monitor or Log Analytics agent extensions that periodically use VM management APIs for health reporting
Download portable Sigma rule (.yml)

Other platforms for T1651

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Azure RunCommand - Execute PowerShell via Azure CLI

    Expected signal: AzureActivity log entry with OperationName 'Microsoft.Compute/virtualMachines/runCommand/action', ActivityStatus 'Succeeded', and Caller set to the authenticated user's UPN or service principal object ID. On the VM: SecurityEvent 4688 showing powershell.exe spawned by WindowsAzureGuestAgent.exe.

  2. Test 2AWS SSM Run Command - Execute Shell Script on EC2 Instance

    Expected signal: AWS CloudTrail event with eventName 'SendCommand', eventSource 'ssm.amazonaws.com', requestParameters containing documentName 'AWS-RunShellScript' and target instanceId. On the EC2 instance: /var/log/amazon/ssm/amazon-ssm-agent.log entries showing command receipt and execution.

  3. Test 3Azure Automation Runbook - Execute Commands via Automation Account

    Expected signal: AzureActivity log entries with OperationName 'Microsoft.Automation/automationAccounts/runbooks/write', 'Microsoft.Automation/automationAccounts/jobs/write', and 'Microsoft.Automation/automationAccounts/jobs/read'. Azure Automation job logs in the portal showing execution output.

Last updated: 2026-03-20 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1651 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1059.007JavaScriptT1047Windows Management InstrumentationT1053.007Container Orchestration JobT1199Trusted RelationshipT1078.004Cloud AccountsT1204.002Malicious FileT1053.005Scheduled TaskT1129Shared Modules

Same Tactic: Execution

Popular Detections