Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Identifies any Azure VM Run Command operation executed from an Azure IP address. Run Command allows an attacker or legitimate user to execute arbitrary PowerShell on a target VM. This technique has been seen in use by NOBELIUM.
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | Azure Activity |
| ID | efe843ca-3ce7-4896-9f8b-f2c374ae6527 |
| Tactics | LateralMovement, CredentialAccess |
| Techniques | T1570, T1078.004 |
| Required Connectors | AzureActivity |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
AzureActivity |
? | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊