Azure VM Extension Deployment by User
editAzure VM Extension Deployment by User
editIdentifies the successful deployment of a high-risk Azure Virtual Machine extension by an interactive user principal. Attackers with privileged Azure RBAC roles can abuse VM extensions such as VMAccess, CustomScriptExtension, and RunCommand to execute arbitrary code, create backdoor accounts, harvest credentials, and establish persistence on Azure-hosted virtual machines without requiring direct network access to the VM.
Rule type: query
Rule indices:
- logs-azure.activitylogs-*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Domain: Endpoint
- Data Source: Azure
- Data Source: Azure Activity Logs
- Use Case: Threat Detection
- Tactic: Persistence
- Tactic: Defense Evasion
- Tactic: Execution
- Resources: Investigation Guide
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editTriage and analysis
Investigating Azure VM Extension Deployment by User
This rule flags successful MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE operations performed by a user principal
where the extension resource ID matches high-risk extension families (VMAccess, Custom Script, Run Command, DSC,
Microsoft Monitoring Agent).
Triage checklist
- Is the caller UPN a known admin or automation account?
- Is the source IP or ASN consistent with corporate infrastructure or a known VPN?
- Was this extension deployment preceded by a Run Command invocation on the same VM?
- Did the extension deployment coincide with new local account creation on the endpoint?
-
Check
azure.activitylogs.identity.claims.authnmethodsreferences— was MFA present? -
Correlate with endpoint telemetry: process events parented by
WaAppAgent.exeorwalinuxagentwithin 120 seconds of the extension write timestamp on the same host.
Possible investigation steps
-
Review
azure.activitylogs.identity.authorization.evidence.principal_idand Entra sign-in logs for the caller. -
Examine
azure.resource.idandazure.resource.nameto identify the VM and extension type deployed. -
Pivot on the VM for
MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTIONand endpoint Run Command orwaagentactivity. - Review role assignments for the principal on the subscription or resource group.
Response and remediation
- If unauthorized, remove the extension, rotate credentials, and review RBAC on the affected VM and scope.
- Isolate the VM and collect endpoint and activity log artifacts per incident procedures.
Rule query
editdata_stream.dataset:azure.activitylogs and
azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE" and
azure.activitylogs.identity.authorization.evidence.principal_type:User and
event.outcome:(success or Success) and
azure.resource.id:(
*VMACCESSAGENT* or
*CUSTOMSCRIPTEXTENSION* or
*RUNCOMMANDWINDOWS* or
*RUNCOMMANDLINUX* or
*/DSC/* or
*MICROSOFTMONITORINGAGENT*
)
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Account Manipulation
- ID: T1098
- Reference URL: https://attack.mitre.org/techniques/T1098/
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Cloud Administration Command
- ID: T1651
- Reference URL: https://attack.mitre.org/techniques/T1651/
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Modify Cloud Compute Infrastructure
- ID: T1578
- Reference URL: https://attack.mitre.org/techniques/T1578/
-
Sub-technique:
- Name: Create Cloud Instance
- ID: T1578.002
- Reference URL: https://attack.mitre.org/techniques/T1578/002/