Azure Virtual Machine Configuration Modified

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Azure Virtual Machine Configuration Modified

edit

Identifies a successful write to an Azure virtual machine resource ("MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE"). This operation is the parent action behind VM userData injection, where an adversary with VM contributor rights writes a base64 startup payload into the VM "userData" field that executes on the next reboot (a control-plane persistence technique requiring no guest access). The Azure activity log does not record the "userData" value or which property changed, so this behavior is indistinguishable from any other VM write at detection time. This is a building block rule and does not generate alerts on its own; it captures the VM write population so it can be correlated with other signals and baselined over time to tune a higher-fidelity userData-injection detection. To investigate a candidate, retrieve the live "userData" from the VM with an Azure Resource Manager GET using "$expand=userData".

Rule type: query

Rule indices:

  • logs-azure.activitylogs-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Cloud
  • Domain: Endpoint
  • Data Source: Azure
  • Data Source: Azure Activity Logs
  • Use Case: Asset Visibility
  • Tactic: Persistence
  • Rule Type: BBR

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
data_stream.dataset:azure.activitylogs and
    event.action:"MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE" and
    event.outcome:(success or Success)

Framework: MITRE ATT&CKTM