Azure VM Extension CRUD Operation with Unusual Source ASN

  1[metadata]
  2creation_date = "2026/06/15"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2026/06/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies create, read, update, or delete (CRUD) operations against Azure VM or VM scale set extensions
 11("MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/*" or the scale set equivalent) where the combination of the targeted
 12extension resource name and the source autonomous system (AS) number has not been observed recently. VM extensions such
 13as CustomScript and DSC run with high privilege on the guest (SYSTEM on Windows, root on Linux), so writing, modifying,
 14or removing them is a common code-execution and persistence primitive. By keying a new terms approach on the extension
 15resource name and the source AS number, this rule surfaces extension operations originating from networks that have not
 16historically managed that extension, while routine first-party Microsoft automation (which originates from well-known
 17Microsoft AS numbers) is excluded.
 18"""
 19false_positives = [
 20    """
 21    Infrastructure-as-code, configuration management, and patching automation routinely create, update, and delete VM
 22    extensions. The first time a given extension resource name is operated on from a new source AS number will alert.
 23    Baseline expected management networks (corporate egress, CI/CD runners, third-party automation SaaS) and exclude
 24    their AS numbers if the activity is verified as authorized. Read operations are typically not emitted to the Azure
 25    activity log; the rule predominantly fires on WRITE and DELETE.
 26    """,
 27]
 28from = "now-9m"
 29index = ["logs-azure.activitylogs-*"]
 30language = "kuery"
 31license = "Elastic License v2"
 32name = "Azure VM Extension CRUD Operation with Unusual Source ASN"
 33note = """## Triage and analysis
 34
 35### Investigating Azure VM Extension CRUD Operation with Unusual Source ASN
 36
 37Azure VM and VM scale set extensions (for example CustomScript, DSC, and AADSSHLoginForLinux) execute on the guest with
 38high privilege. Creating or updating an extension (`EXTENSIONS/WRITE`) can run attacker-supplied code as SYSTEM or root,
 39while deleting one (`EXTENSIONS/DELETE`) can remove security tooling or clean up after execution. This rule uses a new
 40terms approach keyed on the pair (`azure.resource.name`, `source.as.number`), so it fires when a given extension resource
 41is operated on from a source network that has not been seen managing it within the history window. Well-known Microsoft
 42AS numbers used by first-party automation are excluded in the query.
 43
 44### Triage checklist
 45
 46- Identify the source via `source.ip`, `source.as.number`, and `source.as.organization.name`. Operations from cloud
 47  hosting, VPS, or anonymizing networks are more suspicious than known corporate egress.
 48- Identify the acting principal via `azure.activitylogs.identity.authorization.evidence.principal_id` and
 49  `...principal_type` (User vs ServicePrincipal) and `azure.activitylogs.identity.claims.appid`.
 50- Inspect `azure.resource.id` for the target VM/VMSS and `azure.resource.name` for the extension. CustomScript/DSC
 51  extensions and randomly named extensions warrant closer review.
 52- Determine the operation: WRITE (create/update — code execution) vs DELETE (removal — possible defense evasion or
 53  cleanup).
 54- Correlate with endpoint telemetry on the target host: process activity parented by the Azure guest agent
 55  (`WaAppAgent.exe` / `walinuxagent`) within ~120 seconds of the operation timestamp.
 56
 57### Possible investigation steps
 58
 59- Review the principal's Entra ID sign-in logs and RBAC role assignments on the subscription, resource group, and VM.
 60- Retrieve the extension settings/protected settings from the VM (the activity log does not contain the script body) to
 61  assess intent.
 62- Pivot on the VM for credential access, new local accounts, or outbound C2 connections following the operation.
 63
 64### Response and remediation
 65
 66- If unauthorized, remove the malicious extension, isolate the VM, rotate credentials reachable from it, and review RBAC
 67  on the affected scope.
 68- Block or investigate the source AS/network if it is not an expected management path.
 69- Collect endpoint and activity log artifacts per incident procedures.
 70"""
 71references = [
 72    "https://www.netspi.com/blog/technical-blog/adversary-simulation/7-ways-to-execute-command-on-azure-virtual-machine-virtual-machine-scale-sets/",
 73    "https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows",
 74    "https://hackingthe.cloud/azure/run-command-abuse/",
 75    "https://blog.pwnedlabs.io/diving-deep-into-azure-vm-attack-vectors",
 76    "https://www.sysdig.com/blog/the-expendable-extension-name-azure-vmaccess-naming-chaos-password-resets-and-a-detection-gap",
 77]
 78risk_score = 47
 79rule_id = "d69d05f8-d48a-4dcb-b226-fb2efbedd6ba"
 80severity = "medium"
 81tags = [
 82    "Domain: Cloud",
 83    "Domain: Endpoint",
 84    "Data Source: Azure",
 85    "Data Source: Azure Activity Logs",
 86    "Use Case: Threat Detection",
 87    "Tactic: Execution",
 88    "Tactic: Persistence",
 89    "Resources: Investigation Guide",
 90]
 91timestamp_override = "event.ingested"
 92type = "new_terms"
 93
 94query = '''
 95data_stream.dataset:azure.activitylogs and
 96    event.action:(
 97        "MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/DELETE" or
 98        "MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/READ" or
 99        "MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE" or
100        "MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/EXTENSIONS/DELETE" or
101        "MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/EXTENSIONS/READ" or
102        "MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/EXTENSIONS/WRITE"
103    ) and event.outcome:(Success or success) and
104    azure.resource.name:* and
105    source.as.number:(* and not (3598 or 8068 or 8069 or 8070 or 8071 or 8072 or 8073 or 8074 or 8075 or 12076))
106'''
107
108
109[[rule.threat]]
110framework = "MITRE ATT&CK"
111[[rule.threat.technique]]
112id = "T1651"
113name = "Cloud Administration Command"
114reference = "https://attack.mitre.org/techniques/T1651/"
115
116
117[rule.threat.tactic]
118id = "TA0002"
119name = "Execution"
120reference = "https://attack.mitre.org/tactics/TA0002/"
121
122[[rule.threat]]
123framework = "MITRE ATT&CK"
124[[rule.threat.technique]]
125id = "T1037"
126name = "Boot or Logon Initialization Scripts"
127reference = "https://attack.mitre.org/techniques/T1037/"
128
129[rule.threat.tactic]
130id = "TA0003"
131name = "Persistence"
132reference = "https://attack.mitre.org/tactics/TA0003/"
133
134[rule.investigation_fields]
135field_names = [
136    "@timestamp",
137    "event.outcome",
138    "azure.activitylogs.operation_name",
139    "azure.resource.name",
140    "azure.resource.id",
141    "source.ip",
142    "source.as.number",
143    "source.as.organization.name",
144    "source.geo.country_name",
145    "azure.activitylogs.identity.authorization.evidence.principal_id",
146    "azure.activitylogs.identity.authorization.evidence.principal_type",
147    "azure.activitylogs.identity.claims.appid",
148    "azure.subscription_id",
149    "azure.activitylogs.tenant_id",
150]
151
152[rule.new_terms]
153field = "new_terms_fields"
154value = ["azure.resource.name", "source.as.number"]
155[[rule.new_terms.history_window_start]]
156field = "history_window_start"
157value = "now-7d"