Detect Cloud Administration Command in Splunk
This detection identifies adversaries abusing cloud-native management services — such as AWS Systems Manager (SSM) Run Command, Azure RunCommand, and Azure Automation Runbooks — to remotely execute commands inside virtual machines. Because these mechanisms use legitimate, pre-installed VM agents (SSM Agent, Azure VM Agent), execution is indistinguishable from authorized administrative activity at the OS level. The detection focuses on the cloud control plane: auditing who invoked the run-command API, from what identity/IP, against which VMs, and whether the invocation pattern deviates from baseline administrative behavior. High-severity APT29/Nobelium tradecraft has leveraged Azure Run Command and Admin-on-Behalf-of (AOBO) post-compromise to execute code on tenant VMs without touching traditional lateral movement paths.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1651 Cloud Administration Command
- Canonical reference
- https://attack.mitre.org/techniques/T1651/
SPL Detection Query
// Azure RunCommand via Azure Activity Logs in Splunk
index=* (sourcetype="azure:activity" OR sourcetype="azure:audit" OR sourcetype="mscs:azure:activity")
| eval operation_lower=lower(operationName)
| search operation_lower IN (
"microsoft.compute/virtualmachines/runcommand/action",
"microsoft.automation/automationaccounts/jobs/write",
"microsoft.compute/virtualmachines/extensions/write"
)
| eval result_status=coalesce(resultType, status)
| search result_status IN ("Success", "Accepted", "Started")
| eval vm_name=mvindex(split(resourceId, "/"), 8)
| eval resource_group=resourceGroup
| eval caller_identity=coalesce(caller, claims.upn, properties.principalOid)
| eval source_ip=callerIpAddress
| eval subscription_id=subscriptionId
| eval event_time=strftime(_time, "%Y-%m-%dT%H:%M:%SZ")
| stats
count AS invocation_count,
values(vm_name) AS targeted_vms,
values(source_ip) AS source_ips,
earliest(_time) AS first_seen,
latest(_time) AS last_seen
BY caller_identity, resource_group, subscription_id, operation_lower
| eval duration_seconds=last_seen - first_seen
| eval multi_vm_targeting=if(mvcount(targeted_vms) > 3, "TRUE", "FALSE")
| table event_time, caller_identity, source_ips, targeted_vms, resource_group, subscription_id, operation_lower, invocation_count, multi_vm_targeting, first_seen, last_seen
| sort - invocation_countSearches Azure Activity logs ingested into Splunk for RunCommand and Automation job invocations. Aggregates by caller identity to surface accounts that are targeting multiple VMs (a common reconnaissance or lateral movement pattern). The multi_vm_targeting field flags callers who invoke RunCommand against more than 3 distinct VMs within the detection window, which is a strong indicator of mass execution campaigns like those conducted by APT29.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Automated patching pipelines that invoke RunCommand across all VMs in a subscription during maintenance windows
- Azure DevOps release pipelines that use RunCommand to deploy application artifacts to multiple VMs simultaneously
- Monitoring solutions that periodically run diagnostic scripts on all VMs to collect health metrics
- Security baselines or CIS compliance scripts executed by cloud security teams across an entire VM fleet
Other platforms for T1651
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Azure RunCommand - Execute PowerShell via Azure CLI
Expected signal: AzureActivity log entry with OperationName 'Microsoft.Compute/virtualMachines/runCommand/action', ActivityStatus 'Succeeded', and Caller set to the authenticated user's UPN or service principal object ID. On the VM: SecurityEvent 4688 showing powershell.exe spawned by WindowsAzureGuestAgent.exe.
- Test 2AWS SSM Run Command - Execute Shell Script on EC2 Instance
Expected signal: AWS CloudTrail event with eventName 'SendCommand', eventSource 'ssm.amazonaws.com', requestParameters containing documentName 'AWS-RunShellScript' and target instanceId. On the EC2 instance: /var/log/amazon/ssm/amazon-ssm-agent.log entries showing command receipt and execution.
- Test 3Azure Automation Runbook - Execute Commands via Automation Account
Expected signal: AzureActivity log entries with OperationName 'Microsoft.Automation/automationAccounts/runbooks/write', 'Microsoft.Automation/automationAccounts/jobs/write', and 'Microsoft.Automation/automationAccounts/jobs/read'. Azure Automation job logs in the portal showing execution output.
References (6)
- https://attack.mitre.org/techniques/T1651/
- https://docs.microsoft.com/en-us/azure/virtual-machines/run-command-overview
- https://docs.aws.amazon.com/systems-manager/latest/userguide/execute-remote-commands.html
- https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/
- https://o365blog.com/post/run-command/
- https://github.com/RhinoSecurityLabs/pacu
Unlock Pro Content
Get the full detection package for T1651 including response playbook, investigation guide, and atomic red team tests.