diff --git a/rules/integrations/azure/persistence_azure_vm_extension_deployment_by_interactive_user.toml b/rules/integrations/azure/persistence_azure_vm_extension_deployment_by_interactive_user.toml new file mode 100644 index 00000000000..3aef62f87c5 --- /dev/null +++ b/rules/integrations/azure/persistence_azure_vm_extension_deployment_by_interactive_user.toml @@ -0,0 +1,148 @@ +[metadata] +creation_date = "2026/05/20" +integration = ["azure"] +maturity = "production" +updated_date = "2026/05/20" + +[rule] +author = ["Elastic"] +description = """ +Identifies the successful deployment of a high-risk Azure Virtual Machine extension by an interactive user principal. +Attackers with privileged Azure RBAC roles can abuse VM extensions such as VMAccess, CustomScriptExtension, and +RunCommand to execute arbitrary code, create backdoor accounts, harvest credentials, and establish persistence on +Azure-hosted virtual machines without requiring direct network access to the VM. +""" +false_positives = [ + """ + Legitimate administrators and automation may deploy Custom Script, Run Command, DSC, or monitoring extensions during + provisioning, patching, or guest configuration. Baseline expected principals, VMs, and extension types before + tuning exclusions. + """, +] +from = "now-9m" +index = ["logs-azure.activitylogs-*"] +language = "kuery" +license = "Elastic License v2" +name = "Azure VM Extension Deployment by Interactive User" +note = """## Triage and analysis + +### Investigating Azure VM Extension Deployment by Interactive User + +This rule flags successful `MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE` operations performed by a user principal +where the extension resource ID matches high-risk extension families (VMAccess, Custom Script, Run Command, DSC, +Microsoft Monitoring Agent). + +### Triage checklist + +- Is the caller UPN a known admin or automation account? +- Is the source IP or ASN consistent with corporate infrastructure or a known VPN? +- Was this extension deployment preceded by a Run Command invocation on the same VM? +- Did the extension deployment coincide with new local account creation on the endpoint? +- Check `azure.activitylogs.identity.claims.authnmethodsreferences` — was MFA present? +- Correlate with endpoint telemetry: process events parented by `WaAppAgent.exe` or `walinuxagent` within 120 seconds of + the extension write timestamp on the same host. + +### Possible investigation steps + +- Review `azure.activitylogs.identity.authorization.evidence.principal_id` and Entra sign-in logs for the caller. +- Examine `azure.resource.id` and `azure.resource.name` to identify the VM and extension type deployed. +- Pivot on the VM for `MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION` and endpoint Run Command or `waagent` activity. +- Review role assignments for the principal on the subscription or resource group. + +### Response and remediation + +- If unauthorized, remove the extension, rotate credentials, and review RBAC on the affected VM and scope. +- Isolate the VM and collect endpoint and activity log artifacts per incident procedures. +""" +references = ["https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/overview"] +risk_score = 47 +rule_id = "e842d39d-ead1-48c6-97f1-6b055476c2f3" +severity = "medium" +tags = [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "query" +query = ''' +data_stream.dataset:azure.activitylogs and +azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE" and +azure.activitylogs.identity.authorization.evidence.principal_type:User and +event.outcome:(success or Success) and +azure.resource.id:( + *VMACCESSAGENT* or + *CUSTOMSCRIPTEXTENSION* or + *RUNCOMMANDWINDOWS* or + *RUNCOMMANDLINUX* or + */DSC/* or + *MICROSOFTMONITORINGAGENT* +) +''' + +[rule.investigation_fields] +field_names = [ + "@timestamp", + "event.outcome", + "azure.activitylogs.operation_name", + "azure.activitylogs.identity.authorization.evidence.principal_id", + "azure.activitylogs.identity.authorization.evidence.principal_type", + "azure.activitylogs.identity.claims_initiated_by_user.name", + "azure.resource.id", + "azure.resource.name", + "source.ip", + "source.geo.country_name", + "source.as.organization.name", + "azure.subscription_id", + "azure.activitylogs.tenant_id", +] + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1651" +name = "Cloud Administration Command" +reference = "https://attack.mitre.org/techniques/T1651/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" + +[[rule.threat.technique.subtechnique]] +id = "T1578.002" +name = "Create Cloud Instance" +reference = "https://attack.mitre.org/techniques/T1578/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/"