Adversaries may use Azure CloudShell to execute commands and exfiltrate data undetected by leveraging cloud-native tools. SOC teams should proactively hunt for this behavior to identify potential command and control activities or data exfiltration attempts in their Azure Sentinel environment.
KQL Query
AzureActivity
| where ActivityStatusValue =~ "Success"
| where ResourceGroup has "cloud-shell-storage"
| where OperationNameValue =~ "Microsoft.Storage/storageAccounts/listKeys/action"
// Change the timekey scope below to get activity for a longer window
| summarize by Caller, timekey= bin(TimeGenerated, 1h)
| join (AzureActivity | where TimeGenerated >= ago(1d)
| where OperationNameValue !~ "Microsoft.Storage/storageAccounts/listKeys/action"
| where isnotempty(OperationNameValue)
// Change the timekey scope below to get activity for a longer window
| summarize make_set(OperationNameValue) by Caller, timekey=bin(TimeGenerated, 1h)) on Caller, timekey
| extend timestamp = timekey, AccountCustomEntity = Caller
id: 42831fb3-f61d-41e9-95d9-f08797479a0e
name: Azure CloudShell Usage
description: |
'This query look for users starting an Azure CloudShell session and summarizes the Azure Activity from that
user account during that timeframe (by default 1 hour). This can be used to help identify abuse of the CloudShell
to modify Azure resources.'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
tactics:
- Execution
relevantTechniques:
- T1059
query: |
AzureActivity
| where ActivityStatusValue =~ "Success"
| where ResourceGroup has "cloud-shell-storage"
| where OperationNameValue =~ "Microsoft.Storage/storageAccounts/listKeys/action"
// Change the timekey scope below to get activity for a longer window
| summarize by Caller, timekey= bin(TimeGenerated, 1h)
| join (AzureActivity | where TimeGenerated >= ago(1d)
| where OperationNameValue !~ "Microsoft.Storage/storageAccounts/listKeys/action"
| where isnotempty(OperationNameValue)
// Change the timekey scope below to get activity for a longer window
| summarize make_set(OperationNameValue) by Caller, timekey=bin(TimeGenerated, 1h)) on Caller, timekey
| extend timestamp = timekey, AccountCustomEntity = Caller
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
version: 1.0.0
metadata:
source:
kind: Community
author:
name: Pete Bryan
support:
tier: Community
categories:
domains: [ "Security - Other" ]
| Sentinel Table | Notes |
|---|---|
AzureActivity | Ensure this data connector is enabled |
Scenario: System Administrator Using CloudShell for Routine Maintenance
Description: An admin uses Azure CloudShell to perform routine maintenance tasks such as updating VM configurations or managing storage accounts.
Filter/Exclusion: Include a filter for known admin accounts or add a condition that excludes activity related to specific Azure resources (e.g., resourceGroup = 'admin-rg').
Scenario: Scheduled Job Execution via CloudShell
Description: A scheduled job or automation script runs through CloudShell to execute Azure CLI commands, such as backing up data or rotating credentials.
Filter/Exclusion: Exclude activity associated with Azure Automation or Logic Apps by checking the caller field or requestSource property.
Scenario: DevOps Pipeline Using CloudShell for CI/CD Tasks
Description: A DevOps pipeline uses CloudShell to deploy code or run tests on Azure resources, such as deploying to Azure App Services or Kubernetes clusters.
Filter/Exclusion: Filter out activity from known CI/CD tools (e.g., Azure DevOps, GitHub Actions) by checking the caller or callerIpAddress fields.
Scenario: CloudShell Used for Training or Onboarding Sessions
Description: A training session or onboarding process uses CloudShell to demonstrate Azure services to new users or during internal workshops.
Filter/Exclusion: Exclude activity from specific user groups (e.g., userPrincipalName LIKE '%training%') or filter by specific time windows (e.g., startTime > '2024-01-01').
Scenario: CloudShell Access for Security Audits
Description: Security teams use CloudShell to perform audits or forensic analysis on Azure resources, such as checking logs or running compliance checks.
Filter/Exclusion: Include a filter for security-related tools (e.g., Azure Security