From a23e11b04fb45fc731ed2006123ba7ec963abe05 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Thu, 21 May 2026 17:49:31 +0100
Subject: [PATCH 1/3] [New] Azure VM Extension Deployment by Interactive User

Identifies the successful deployment of a high-risk Azure Virtual Machine extension  by an interactive user principal. Attackers with privileged Azure RBAC roles can  abuse VM extensions such as VMAccess, CustomScriptExtension, and RunCommand to  execute arbitrary code, create backdoor accounts, harvest credentials, and establish  persistence on Azure-hosted virtual machines without requiring direct network access  to the VM.
---
 ...ension_deployment_by_interactive_user.toml | 139 ++++++++++++++++++
 1 file changed, 139 insertions(+)
 create mode 100644 rules/integrations/azure/persistence_azure_vm_extension_deployment_by_interactive_user.toml

diff --git a/rules/integrations/azure/persistence_azure_vm_extension_deployment_by_interactive_user.toml b/rules/integrations/azure/persistence_azure_vm_extension_deployment_by_interactive_user.toml
new file mode 100644
index 00000000000..051c4910029
--- /dev/null
+++ b/rules/integrations/azure/persistence_azure_vm_extension_deployment_by_interactive_user.toml
@@ -0,0 +1,139 @@
+[metadata]
+creation_date = "2026/05/20"
+integration = ["azure"]
+maturity = "production"
+updated_date = "2026/05/20"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the successful deployment of a high-risk Azure Virtual Machine extension by an interactive user principal.
+Attackers with privileged Azure RBAC roles can abuse VM extensions such as VMAccess, CustomScriptExtension, and
+RunCommand to execute arbitrary code, create backdoor accounts, harvest credentials, and establish persistence on
+Azure-hosted virtual machines without requiring direct network access to the VM.
+"""
+false_positives = [
+    """
+    Legitimate administrators and automation may deploy Custom Script, Run Command, DSC, or monitoring extensions during
+    provisioning, patching, or guest configuration. Baseline expected principals, VMs, and extension types before
+    tuning exclusions.
+    """,
+]
+from = "now-9m"
+index = ["logs-azure.activitylogs-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Azure VM Extension Deployment by Interactive User"
+note = """## Triage and analysis
+
+### Investigating Azure VM Extension Deployment by Interactive User
+
+This rule flags successful `MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE` operations performed by a user principal
+where the extension resource ID matches high-risk extension families (VMAccess, Custom Script, Run Command, DSC,
+Microsoft Monitoring Agent).
+
+### Triage checklist
+
+- Is the caller UPN a known admin or automation account?
+- Is the source IP or ASN consistent with corporate infrastructure or a known VPN?
+- Was this extension deployment preceded by a Run Command invocation on the same VM?
+- Did the extension deployment coincide with new local account creation on the endpoint?
+- Check `azure.activitylogs.identity.claims.authnmethodsreferences` — was MFA present?
+- Correlate with endpoint telemetry: process events parented by `WaAppAgent.exe` or `walinuxagent` within 120 seconds of
+  the extension write timestamp on the same host.
+
+### Possible investigation steps
+
+- Review `azure.activitylogs.identity.authorization.evidence.principal_id` and Entra sign-in logs for the caller.
+- Examine `azure.resource.id` and `azure.resource.name` to identify the VM and extension type deployed.
+- Pivot on the VM for `MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION` and endpoint Run Command or `waagent` activity.
+- Review role assignments for the principal on the subscription or resource group.
+
+### Response and remediation
+
+- If unauthorized, remove the extension, rotate credentials, and review RBAC on the affected VM and scope.
+- Isolate the VM and collect endpoint and activity log artifacts per incident procedures.
+"""
+references = ["https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/overview"]
+risk_score = 47
+rule_id = "e842d39d-ead1-48c6-97f1-6b055476c2f3"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Domain: Identity",
+    "Data Source: Azure",
+    "Data Source: Azure Activity Logs",
+    "Use Case: Threat Detection",
+    "Tactic: Persistence",
+    "Tactic: Execution",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "query"
+query = '''
+data_stream.dataset:azure.activitylogs and
+azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE" and
+azure.activitylogs.identity.authorization.evidence.principal_type:User and
+event.outcome:(success or Success) and
+azure.resource.id:(
+    *VMACCESSAGENT* or
+    *CUSTOMSCRIPTEXTENSION* or
+    *RUNCOMMANDWINDOWS* or
+    *RUNCOMMANDLINUX* or
+    */DSC/* or
+    *MICROSOFTMONITORINGAGENT*
+)
+'''
+
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "event.outcome",
+    "azure.activitylogs.operation_name",
+    "azure.activitylogs.identity.authorization.evidence.principal_id",
+    "azure.activitylogs.identity.authorization.evidence.principal_type",
+    "azure.activitylogs.identity.claims_initiated_by_user.name",
+    "azure.resource.id",
+    "azure.resource.name",
+    "source.ip",
+    "source.geo.country_name",
+    "source.as.organization.name",
+    "azure.subscription_id",
+    "azure.activitylogs.tenant_id",
+]
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1578"
+name = "Modify Cloud Compute Infrastructure"
+reference = "https://attack.mitre.org/techniques/T1578/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1578.002"
+name = "Create Cloud Instance"
+reference = "https://attack.mitre.org/techniques/T1578/002/"
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1651"
+name = "Cloud Administration Command"
+reference = "https://attack.mitre.org/techniques/T1651/"
+
+[[rule.threat.technique]]
+id = "T1098"
+name = "Account Manipulation"
+reference = "https://attack.mitre.org/techniques/T1098/"
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"

From 5842a64a96ecd0c32e0271c1d0c734f4978f6d33 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Thu, 21 May 2026 18:00:30 +0100
Subject: [PATCH 2/3] Update
 persistence_azure_vm_extension_deployment_by_interactive_user.toml

---
 ...ension_deployment_by_interactive_user.toml | 21 +++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/rules/integrations/azure/persistence_azure_vm_extension_deployment_by_interactive_user.toml b/rules/integrations/azure/persistence_azure_vm_extension_deployment_by_interactive_user.toml
index 051c4910029..50c89df6445 100644
--- a/rules/integrations/azure/persistence_azure_vm_extension_deployment_by_interactive_user.toml
+++ b/rules/integrations/azure/persistence_azure_vm_extension_deployment_by_interactive_user.toml
@@ -65,6 +65,7 @@ tags = [
     "Data Source: Azure Activity Logs",
     "Use Case: Threat Detection",
     "Tactic: Persistence",
+    "Tactic: Defense Evasion",
     "Tactic: Execution",
     "Resources: Investigation Guide",
 ]
@@ -116,9 +117,9 @@ name = "Create Cloud Instance"
 reference = "https://attack.mitre.org/techniques/T1578/002/"
 
 [rule.threat.tactic]
-id = "TA0003"
-name = "Persistence"
-reference = "https://attack.mitre.org/tactics/TA0003/"
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
@@ -128,12 +129,20 @@ id = "T1651"
 name = "Cloud Administration Command"
 reference = "https://attack.mitre.org/techniques/T1651/"
 
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1098"
 name = "Account Manipulation"
 reference = "https://attack.mitre.org/techniques/T1098/"
 
 [rule.threat.tactic]
-id = "TA0002"
-name = "Execution"
-reference = "https://attack.mitre.org/tactics/TA0002/"
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"

From a4bc4501e0d8668b61434b17a6d904677a89ae09 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Thu, 21 May 2026 18:09:21 +0100
Subject: [PATCH 3/3] ++

---
 ...ension_deployment_by_interactive_user.toml | 34 +++++++++----------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/rules/integrations/azure/persistence_azure_vm_extension_deployment_by_interactive_user.toml b/rules/integrations/azure/persistence_azure_vm_extension_deployment_by_interactive_user.toml
index 50c89df6445..3aef62f87c5 100644
--- a/rules/integrations/azure/persistence_azure_vm_extension_deployment_by_interactive_user.toml
+++ b/rules/integrations/azure/persistence_azure_vm_extension_deployment_by_interactive_user.toml
@@ -107,19 +107,14 @@ field_names = [
 framework = "MITRE ATT&CK"
 
 [[rule.threat.technique]]
-id = "T1578"
-name = "Modify Cloud Compute Infrastructure"
-reference = "https://attack.mitre.org/techniques/T1578/"
-
-[[rule.threat.technique.subtechnique]]
-id = "T1578.002"
-name = "Create Cloud Instance"
-reference = "https://attack.mitre.org/techniques/T1578/002/"
+id = "T1098"
+name = "Account Manipulation"
+reference = "https://attack.mitre.org/techniques/T1098/"
 
 [rule.threat.tactic]
-id = "TA0005"
-name = "Defense Evasion"
-reference = "https://attack.mitre.org/tactics/TA0005/"
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
@@ -138,11 +133,16 @@ reference = "https://attack.mitre.org/tactics/TA0002/"
 framework = "MITRE ATT&CK"
 
 [[rule.threat.technique]]
-id = "T1098"
-name = "Account Manipulation"
-reference = "https://attack.mitre.org/techniques/T1098/"
+id = "T1578"
+name = "Modify Cloud Compute Infrastructure"
+reference = "https://attack.mitre.org/techniques/T1578/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1578.002"
+name = "Create Cloud Instance"
+reference = "https://attack.mitre.org/techniques/T1578/002/"
 
 [rule.threat.tactic]
-id = "TA0003"
-name = "Persistence"
-reference = "https://attack.mitre.org/tactics/TA0003/"
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"