Azure VM Extension CRUD Operation with Unusual Source ASN

Last updated 5 days ago on 2026-06-15

Created 5 days ago on 2026-06-15

About

Identifies create, read, update, or delete (CRUD) operations against Azure VM or VM scale set extensions ("MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/*" or the scale set equivalent) where the combination of the targeted extension resource name and the source autonomous system (AS) number has not been observed recently. VM extensions such as CustomScript and DSC run with high privilege on the guest (SYSTEM on Windows, root on Linux), so writing, modifying, or removing them is a common code-execution and persistence primitive. By keying a new terms approach on the extension resource name and the source AS number, this rule surfaces extension operations originating from networks that have not historically managed that extension, while routine first-party Microsoft automation (which originates from well-known Microsoft AS numbers) is excluded.

Tags

Domain: CloudDomain: EndpointData Source: AzureData Source: Azure Activity LogsUse Case: Threat DetectionTactic: ExecutionTactic: PersistenceLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Execution (TA0002)(external, opens in a new tab or window)

↳ Cloud Administration Command (T1651)(external, opens in a new tab or window)

Persistence (TA0003)(external, opens in a new tab or window)

↳ Boot or Logon Initialization Scripts (T1037)(external, opens in a new tab or window)

False Positive Examples

Infrastructure-as-code, configuration management, and patching automation routinely create, update, and delete VM extensions. The first time a given extension resource name is operated on from a new source AS number will alert. Baseline expected management networks (corporate egress, CI/CD runners, third-party automation SaaS) and exclude their AS numbers if the activity is verified as authorized. Read operations are typically not emitted to the Azure activity log; the rule predominantly fires on WRITE and DELETE.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: New Terms Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-azure.activitylogs-*
Related Integrations: azure(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗data_stream.dataset:azure.activitylogs and
    event.action:(
        "MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/DELETE" or
        "MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/READ" or
        "MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE" or
        "MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/EXTENSIONS/DELETE" or
        "MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/EXTENSIONS/READ" or
        "MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/EXTENSIONS/WRITE"
    ) and event.outcome:(Success or success) and
    azure.resource.name:* and
    source.as.number:(* and not (3598 or 8068 or 8069 or 8070 or 8071 or 8072 or 8073 or 8074 or 8075 or 12076))

Install detection rules in Elastic Security

Detect Azure VM Extension CRUD Operation with Unusual Source ASN in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).