LoFP / legitimate configuration management, extension deployment, or automation that uses azure run command with the same powershell or shell script paths may match. baseline approved vm names, script naming, and deployment windows before tuning.

Techniques

• T1059
• T1651

Sample rules

Azure Run Command Script Child Process

• source: elastic
• technicques:
  • T1059
  • T1651

Description

Identifies process start events whose parent matches Azure Virtual Machine Run Command execution patterns on Windows or Linux. On Windows, Run Command often launches PowerShell with -ExecutionPolicy Unrestricted and a script?.ps1 file; on Linux, the Azure Linux Agent (waagent) runs downloaded script.sh under “/var/lib/waagent/run-command/”. Child process telemetry exposes the on-guest payload that cloud activity logs do not fully describe.

Detection logic

process where event.type in ("start", "process_started") and
  (
    (process.parent.name == "powershell.exe" and
      process.parent.command_line like "powershell  -ExecutionPolicy Unrestricted -File script?.ps1") or
    (process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "mksh", "busybox") and
      process.parent.args like "/var/lib/waagent/run-command/download/*/script.sh")
  )