legitimate administrators and automation may deploy custom script, run command, dsc, or monitoring extensions during provisioning, patching, or guest configuration. baseline expected principals, vms, and extension types before tuning exclusions.

t1098
t1578
T1651
azure
elastic

Techniques

T1098
T1578
T1651

Sample rules

Azure VM Extension Deployment by User

source: elastic
technicques:
- T1098
- T1578
- T1651

Description

Identifies the successful deployment of a high-risk Azure Virtual Machine extension by an interactive user principal. Attackers with privileged Azure RBAC roles can abuse VM extensions such as VMAccess, CustomScriptExtension, and RunCommand to execute arbitrary code, create backdoor accounts, harvest credentials, and establish persistence on Azure-hosted virtual machines without requiring direct network access to the VM.

Detection logic

data_stream.dataset:azure.activitylogs and
azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE" and
azure.activitylogs.identity.authorization.evidence.principal_type:User and
event.outcome:(success or Success) and
azure.resource.id:(
    *VMACCESSAGENT* or
    *CUSTOMSCRIPTEXTENSION* or
    *RUNCOMMANDWINDOWS* or
    *RUNCOMMANDLINUX* or
    */DSC/* or
    *MICROSOFTMONITORINGAGENT*
)