Azure VM Extension Deployment by User

  1[metadata]
  2creation_date = "2026/05/20"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2026/05/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the successful deployment of a high-risk Azure Virtual Machine extension by an interactive user principal.
 11Attackers with privileged Azure RBAC roles can abuse VM extensions such as VMAccess, CustomScriptExtension, and
 12RunCommand to execute arbitrary code, create backdoor accounts, harvest credentials, and establish persistence on
 13Azure-hosted virtual machines without requiring direct network access to the VM.
 14"""
 15false_positives = [
 16    """
 17    Legitimate administrators and automation may deploy Custom Script, Run Command, DSC, or monitoring extensions during
 18    provisioning, patching, or guest configuration. Baseline expected principals, VMs, and extension types before
 19    tuning exclusions.
 20    """,
 21]
 22from = "now-9m"
 23index = ["logs-azure.activitylogs-*"]
 24language = "kuery"
 25license = "Elastic License v2"
 26name = "Azure VM Extension Deployment by User"
 27note = """## Triage and analysis
 28
 29### Investigating Azure VM Extension Deployment by User
 30
 31This rule flags successful `MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE` operations performed by a user principal
 32where the extension resource ID matches high-risk extension families (VMAccess, Custom Script, Run Command, DSC,
 33Microsoft Monitoring Agent).
 34
 35### Triage checklist
 36
 37- Is the caller UPN a known admin or automation account?
 38- Is the source IP or ASN consistent with corporate infrastructure or a known VPN?
 39- Was this extension deployment preceded by a Run Command invocation on the same VM?
 40- Did the extension deployment coincide with new local account creation on the endpoint?
 41- Check `azure.activitylogs.identity.claims.authnmethodsreferences` — was MFA present?
 42- Correlate with endpoint telemetry: process events parented by `WaAppAgent.exe` or `walinuxagent` within 120 seconds of
 43  the extension write timestamp on the same host.
 44
 45### Possible investigation steps
 46
 47- Review `azure.activitylogs.identity.authorization.evidence.principal_id` and Entra sign-in logs for the caller.
 48- Examine `azure.resource.id` and `azure.resource.name` to identify the VM and extension type deployed.
 49- Pivot on the VM for `MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION` and endpoint Run Command or `waagent` activity.
 50- Review role assignments for the principal on the subscription or resource group.
 51
 52### Response and remediation
 53
 54- If unauthorized, remove the extension, rotate credentials, and review RBAC on the affected VM and scope.
 55- Isolate the VM and collect endpoint and activity log artifacts per incident procedures.
 56"""
 57references = ["https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/overview"]
 58risk_score = 47
 59rule_id = "e842d39d-ead1-48c6-97f1-6b055476c2f3"
 60severity = "medium"
 61tags = [
 62    "Domain: Cloud",
 63    "Domain: Endpoint",
 64    "Data Source: Azure",
 65    "Data Source: Azure Activity Logs",
 66    "Use Case: Threat Detection",
 67    "Tactic: Persistence",
 68    "Tactic: Defense Evasion",
 69    "Tactic: Execution",
 70    "Resources: Investigation Guide",
 71]
 72timestamp_override = "event.ingested"
 73type = "query"
 74query = '''
 75data_stream.dataset:azure.activitylogs and
 76azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE" and
 77azure.activitylogs.identity.authorization.evidence.principal_type:User and
 78event.outcome:(success or Success) and
 79azure.resource.id:(
 80    *VMACCESSAGENT* or
 81    *CUSTOMSCRIPTEXTENSION* or
 82    *RUNCOMMANDWINDOWS* or
 83    *RUNCOMMANDLINUX* or
 84    */DSC/* or
 85    *MICROSOFTMONITORINGAGENT*
 86)
 87'''
 88
 89[rule.investigation_fields]
 90field_names = [
 91    "@timestamp",
 92    "event.outcome",
 93    "azure.activitylogs.operation_name",
 94    "azure.activitylogs.identity.authorization.evidence.principal_id",
 95    "azure.activitylogs.identity.authorization.evidence.principal_type",
 96    "azure.activitylogs.identity.claims_initiated_by_user.name",
 97    "azure.resource.id",
 98    "azure.resource.name",
 99    "source.ip",
100    "source.geo.country_name",
101    "source.as.organization.name",
102    "azure.subscription_id",
103    "azure.activitylogs.tenant_id",
104]
105
106[[rule.threat]]
107framework = "MITRE ATT&CK"
108
109[[rule.threat.technique]]
110id = "T1098"
111name = "Account Manipulation"
112reference = "https://attack.mitre.org/techniques/T1098/"
113
114[rule.threat.tactic]
115id = "TA0003"
116name = "Persistence"
117reference = "https://attack.mitre.org/tactics/TA0003/"
118
119[[rule.threat]]
120framework = "MITRE ATT&CK"
121
122[[rule.threat.technique]]
123id = "T1651"
124name = "Cloud Administration Command"
125reference = "https://attack.mitre.org/techniques/T1651/"
126
127[rule.threat.tactic]
128id = "TA0002"
129name = "Execution"
130reference = "https://attack.mitre.org/tactics/TA0002/"
131
132[[rule.threat]]
133framework = "MITRE ATT&CK"
134
135[[rule.threat.technique]]
136id = "T1578"
137name = "Modify Cloud Compute Infrastructure"
138reference = "https://attack.mitre.org/techniques/T1578/"
139
140[[rule.threat.technique.subtechnique]]
141id = "T1578.002"
142name = "Create Cloud Instance"
143reference = "https://attack.mitre.org/techniques/T1578/002/"
144
145[rule.threat.tactic]
146id = "TA0005"
147name = "Defense Evasion"
148reference = "https://attack.mitre.org/tactics/TA0005/"