Elastic Security Detection Rules

Azure Run Command Script Child Process

Last updated 13 days ago on 2026-05-20
Created 13 days ago on 2026-05-20

About

Identifies process start events whose parent matches Azure Virtual Machine Run Command execution patterns on Windows or Linux. On Windows, Run Command often launches PowerShell with `-ExecutionPolicy Unrestricted` and a `script?.ps1` file; on Linux, the Azure Linux Agent (waagent) runs downloaded script.sh under "/var/lib/waagent/run-command/". Child process telemetry exposes the on-guest payload that cloud activity logs do not fully describe.
Tags
Domain: CloudDomain: EndpointOS: LinuxOS: WindowsUse Case: Threat DetectionTactic: ExecutionData Source: Elastic DefendData Source: SysmonData Source: AzureLanguage: eql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Execution (TA0002)(external, opens in a new tab or window)

Command and Scripting Interpreter (T1059)(external, opens in a new tab or window)

Cloud Administration Command (T1651)(external, opens in a new tab or window)

False Positive Examples
Legitimate configuration management, extension deployment, or automation that uses Azure Run Command with the same PowerShell or shell script paths may match. Baseline approved VM names, script naming, and deployment windows before tuning.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.events.process*logs-windows.sysmon_operational-*
Related Integrations

endpoint(external, opens in a new tab or window)

windows(external, opens in a new tab or window)

Query
text code block:
process where event.type in ("start", "process_started") and
  (
    (process.parent.name == "powershell.exe" and
      process.parent.command_line like "powershell  -ExecutionPolicy Unrestricted -File script?.ps1") or
    (process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "mksh", "busybox") and
      process.parent.args like "/var/lib/waagent/run-command/download/*/script.sh")
  )

Install detection rules in Elastic Security

Detect Azure Run Command Script Child Process in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).