Burst of multiple reconnaissance commands could indicate initial activity after compromise

Occasional Contributor

All of a sudden we have started receiving alerts for "Burst of multiple reconnaissance commands could indicate initial activity after compromise [seen multiple times]" for all the subscriptions/tenant id's over Azure. The reported commands are basic linux commands and when the linux team is searching they aren't able to find such huge counts as reported by Azure security center. Is there some new threat intel updated or some changes over the Azure security center is done. If you have any hints as if why we are receiving these alerts, then please reply.

 

 

 

6 Replies

same here so I'm also interested to know about this alert.

We've recently seen the same alerts. With limited access to this environment I would be surprised if it was compromised in this manner.

We are getting same alerts. Have looked at running pods and no custom deployments with priviliged access. We have startet investigation because of potential attack(https://azure.microsoft.com/en-in/blog/leverage-azure-security-center-to-detect-when-compromised-lin...) , but these alerts do not give enough information. I am also interested if there are any new features or alert types in Azure Security Center.

 

@ujjawalm 

 

We started receiving these alerts as well. I believe this could be related to a recent update in the OMS agent, based on FIM observed file changes. Can anyone else confirm if theOMS agent on their Linux VMs involved in these alerts recently updated?

 

Thanks!

Yes Ricky, OMS agent is involved in these alerts.

Hi @ujjawalm ,

 

Those alerts are result of a known temporal error in our system caused Azure Security Center to trigger alerts that shouldn't be triggered. The issue was mitigated successfully - you shouldn’t get such alerts anymore.

I am very sorry for the inconvenient it caused – please feel free to ignore those alerts.

 

Thanks,

Tal Rosler,

Product Manager, Azure Security Center.