title: Cloud Administration Command (T1651)
id: df00tech-t1651
status: experimental
description: "This detection identifies adversaries abusing cloud-native management services — such as AWS Systems Manager (SSM) Run Command, Azure RunCommand, and Azure Automation Runbooks — to remotely execute commands inside virtual machines. Because these mechanisms use legitimate, pre-installed VM agents (SSM Agent, Azure VM Agent), execution is indistinguishable from authorized administrative activity at the OS level. The detection focuses on the cloud control plane: auditing who invoked the run-command API, from what identity/IP, against which VMs, and whether the invocation pattern deviates from baseline administrative behavior. High-severity APT29/Nobelium tradecraft has leveraged Azure Run Command and Admin-on-Behalf-of (AOBO) post-compromise to execute code on tenant VMs without touching traditional lateral movement paths."
references:
  - https://attack.mitre.org/techniques/T1651/
  - https://df00tech.com/detections/T1651
author: df00tech
date: 2026/03/20
tags:
  - attack.t1651
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate IT operations teams using Azure RunCommand for patching, configuration management, or troubleshooting via approved change tickets"
  - "Azure Automation Runbooks configured for scheduled maintenance tasks such as VM shutdowns, certificate rotation, or log collection"
  - "Cloud management platforms (Ansible Tower, HashiCorp Terraform, Azure Arc) that use RunCommand as part of infrastructure-as-code pipelines"
  - Security tooling or EDR agents that use RunCommand to push policy updates or perform remediation actions on endpoints
  - Azure Monitor or Log Analytics agent extensions that periodically use VM management APIs for health reporting
level: high