Azure VM Managed Run Command Created or Updated with Unusual Principal

Last updated 4 days ago on 2026-06-16

Created 4 days ago on 2026-06-16

About

Identifies the creation or update of a managed Azure Run Command resource ("MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMANDS/WRITE" or the virtual machine scale set equivalent) by an identity that has not performed this operation recently. Unlike the action-based Run Command ("runCommand/action"), the managed Run Command is a persistent resource on the VM whose creation or update executes the supplied script as System (Windows) or root (Linux). Because creating a managed run command both executes code and leaves a durable object, adversaries can use it as an alternative to the action invocation to evade detections that only watch "runCommand/action". Alerting on the first time a given principal performs this operation surfaces unusual or unauthorized use while suppressing routine automation that repeatedly manages the same run commands.

Tags

Domain: CloudDomain: EndpointData Source: AzureData Source: Azure Activity LogsUse Case: Threat DetectionTactic: ExecutionLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Execution (TA0002)(external, opens in a new tab or window)

↳ Cloud Administration Command (T1651)(external, opens in a new tab or window)

False Positive Examples

Infrastructure-as-code, configuration management, and patching automation may create or update managed run commands. The first occurrence per principal will alert; baseline expected service principals, managed identities, and admin users and exclude them if the activity is verified as authorized.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: New Terms Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-azure.activitylogs-*
Related Integrations: azure(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗data_stream.dataset:azure.activitylogs and
    event.action:(
        "MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMANDS/WRITE" or
        "MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/VIRTUALMACHINES/RUNCOMMANDS/WRITE"
    ) and event.outcome:(success or Success) and
    azure.activitylogs.identity.authorization.evidence.principal_id: *

Install detection rules in Elastic Security

Detect Azure VM Managed Run Command Created or Updated with Unusual Principal in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).