← Back to Explore
elasticmediumTTP
Azure VM Boot Diagnostics Retrieved
Identifies retrieval of Azure VM boot diagnostics data ("MICROSOFT.COMPUTE/VIRTUALMACHINES/RETRIEVEBOOTDIAGNOSTICSDATA/ACTION") by an identity that has not performed this operation recently. Boot diagnostics expose the VM serial console log and a console screenshot, which frequently contain plaintext boot-time output such as credentials, tokens, cloud-init/agent secrets, and command history. An adversary with VM read/contributor rights can retrieve this data over the control plane, without logging into the guest or touching the network, to harvest credentials.
Detection Query
data_stream.dataset:azure.activitylogs and
event.action:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RETRIEVEBOOTDIAGNOSTICSDATA/ACTION" and
event.outcome:(success or Success)
Author
Elastic
Created
2026/06/15
Data Sources
AzureAzure Activity Logslogs-azure.activitylogs-*
References
- https://blog.pwnedlabs.io/diving-deep-into-azure-vm-attack-vectors
- https://www.microsoft.com/en-us/msrc/blog/2023/08/azure-serial-console-attack-and-defense-part-1
- https://learn.microsoft.com/en-us/azure/virtual-machines/boot-diagnostics
- https://www.netspi.com/blog/technical-blog/adversary-simulation/7-ways-to-execute-command-on-azure-virtual-machine-virtual-machine-scale-sets/
Tags
Domain: CloudDomain: EndpointData Source: AzureData Source: Azure Activity LogsUse Case: Threat DetectionTactic: Credential AccessResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2026/06/15"
integration = ["azure"]
maturity = "production"
updated_date = "2026/06/15"
[rule]
author = ["Elastic"]
description = """
Identifies retrieval of Azure VM boot diagnostics data
("MICROSOFT.COMPUTE/VIRTUALMACHINES/RETRIEVEBOOTDIAGNOSTICSDATA/ACTION") by an identity that has not performed this
operation recently. Boot diagnostics expose the VM serial console log and a console screenshot, which frequently contain
plaintext boot-time output such as credentials, tokens, cloud-init/agent secrets, and command history. An adversary with
VM read/contributor rights can retrieve this data over the control plane, without logging into the guest or touching the
network, to harvest credentials.
"""
false_positives = [
"""
Support engineers, infrastructure-as-code, and VM health automation may legitimately retrieve boot diagnostics
during troubleshooting. The first occurrence per principal will alert; baseline expected support users, service
principals, and managed identities and exclude them if the activity is verified as authorized.
""",
]
from = "now-9m"
index = ["logs-azure.activitylogs-*"]
language = "kuery"
license = "Elastic License v2"
name = "Azure VM Boot Diagnostics Retrieved"
note = """## Triage and analysis
### Investigating Azure VM Boot Diagnostics Retrieved
Retrieving boot diagnostics (`retrieveBootDiagnosticsData/action`) returns SAS URIs to the VM serial console log and a
console screenshot. The serial log often contains plaintext boot output: cloud-init/agent activity, command history, and
sometimes credentials or tokens. The action is a control-plane read requiring only VM read/contributor rights, leaves no
guest footprint, and bypasses NSG/JIT.
### Triage checklist
- Identify the acting principal via `azure.activitylogs.identity.authorization.evidence.principal_id` and
`...principal_type` (User vs ServicePrincipal) and `azure.activitylogs.identity.claims.appid`. Service principal or
managed identity retrieval is more suspicious than a known support user.
- Review the source: `source.ip`, `source.as.number`, `source.as.organization.name`, `source.geo.country_name`.
Retrieval from cloud hosting, VPS, or anonymizing networks is more suspicious than known corporate egress.
- Inspect `azure.resource.id` / `azure.resource.name` to identify the target VM. Was the same principal recently granted
access to it, or is this their first interaction?
- Did the same principal recently perform reconnaissance, role assignments, Run Command, or extension operations on the
VM or subscription?
### Possible investigation steps
- Review the principal's Entra ID sign-in logs and RBAC role assignments on the subscription, resource group, and VM.
- Retrieve the boot diagnostics serial log and screenshot from the VM and assess whether they exposed credentials or
other secrets that now require rotation.
- Pivot on the VM and any credentials observed in the serial log for follow-on access, lateral movement, or persistence.
### Response and remediation
- If unauthorized, rotate any credentials/tokens exposed in the serial log, review RBAC on the affected scope, and revoke
the principal's access if compromised.
- Collect activity log artifacts per incident procedures.
"""
references = [
"https://blog.pwnedlabs.io/diving-deep-into-azure-vm-attack-vectors",
"https://www.microsoft.com/en-us/msrc/blog/2023/08/azure-serial-console-attack-and-defense-part-1",
"https://learn.microsoft.com/en-us/azure/virtual-machines/boot-diagnostics",
"https://www.netspi.com/blog/technical-blog/adversary-simulation/7-ways-to-execute-command-on-azure-virtual-machine-virtual-machine-scale-sets/",
]
risk_score = 47
rule_id = "e7509f8f-e70b-4b67-b864-aaa4254b4484"
severity = "medium"
tags = [
"Domain: Cloud",
"Domain: Endpoint",
"Data Source: Azure",
"Data Source: Azure Activity Logs",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
data_stream.dataset:azure.activitylogs and
event.action:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RETRIEVEBOOTDIAGNOSTICSDATA/ACTION" and
event.outcome:(success or Success)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[rule.investigation_fields]
field_names = [
"@timestamp",
"event.outcome",
"azure.activitylogs.operation_name",
"azure.activitylogs.identity.authorization.evidence.principal_id",
"azure.activitylogs.identity.authorization.evidence.principal_type",
"azure.activitylogs.identity.claims.appid",
"azure.resource.name",
"azure.resource.id",
"source.ip",
"source.as.number",
"source.as.organization.name",
"source.geo.country_name",
"azure.subscription_id",
"azure.activitylogs.tenant_id",
]