Detect Cloud Administration Command in Sumo Logic CSE
This detection identifies adversaries abusing cloud-native management services — such as AWS Systems Manager (SSM) Run Command, Azure RunCommand, and Azure Automation Runbooks — to remotely execute commands inside virtual machines. Because these mechanisms use legitimate, pre-installed VM agents (SSM Agent, Azure VM Agent), execution is indistinguishable from authorized administrative activity at the OS level. The detection focuses on the cloud control plane: auditing who invoked the run-command API, from what identity/IP, against which VMs, and whether the invocation pattern deviates from baseline administrative behavior. High-severity APT29/Nobelium tradecraft has leveraged Azure Run Command and Admin-on-Behalf-of (AOBO) post-compromise to execute code on tenant VMs without touching traditional lateral movement paths.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1651 Cloud Administration Command
- Canonical reference
- https://attack.mitre.org/techniques/T1651/
Sumo Detection Query
_sourceCategory=windows/* OR _sourceCategory=endpoint/*
| json auto
| where process_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| where process_cmdline matches /(-enc|-bypass|-hidden)/i
| if(process_cmdline matches /-enc/i, 80, 60) as risk_score
| where risk_score >= 60
| count by host, user, process_name, process_cmdline, risk_score
| sort - risk_scoreSumo Logic detection for Cloud Administration Command (T1651). Identifies adversary cloud administration command behaviors using Sumo Logic's search pipeline with field extraction and anomaly classification.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate IT operations teams using Azure RunCommand for patching, configuration management, or troubleshooting via approved change tickets
- Azure Automation Runbooks configured for scheduled maintenance tasks such as VM shutdowns, certificate rotation, or log collection
- Cloud management platforms (Ansible Tower, HashiCorp Terraform, Azure Arc) that use RunCommand as part of infrastructure-as-code pipelines
Other platforms for T1651
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Azure RunCommand - Execute PowerShell via Azure CLI
Expected signal: AzureActivity log entry with OperationName 'Microsoft.Compute/virtualMachines/runCommand/action', ActivityStatus 'Succeeded', and Caller set to the authenticated user's UPN or service principal object ID. On the VM: SecurityEvent 4688 showing powershell.exe spawned by WindowsAzureGuestAgent.exe.
- Test 2AWS SSM Run Command - Execute Shell Script on EC2 Instance
Expected signal: AWS CloudTrail event with eventName 'SendCommand', eventSource 'ssm.amazonaws.com', requestParameters containing documentName 'AWS-RunShellScript' and target instanceId. On the EC2 instance: /var/log/amazon/ssm/amazon-ssm-agent.log entries showing command receipt and execution.
- Test 3Azure Automation Runbook - Execute Commands via Automation Account
Expected signal: AzureActivity log entries with OperationName 'Microsoft.Automation/automationAccounts/runbooks/write', 'Microsoft.Automation/automationAccounts/jobs/write', and 'Microsoft.Automation/automationAccounts/jobs/read'. Azure Automation job logs in the portal showing execution output.
References (6)
- https://attack.mitre.org/techniques/T1651/
- https://docs.microsoft.com/en-us/azure/virtual-machines/run-command-overview
- https://docs.aws.amazon.com/systems-manager/latest/userguide/execute-remote-commands.html
- https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/
- https://o365blog.com/post/run-command/
- https://github.com/RhinoSecurityLabs/pacu
Unlock Pro Content
Get the full detection package for T1651 including response playbook, investigation guide, and atomic red team tests.