Elastic Security Detection Rules

Azure VM Extension Deployment by User

Last updated 10 days ago on 2026-05-20
Created 10 days ago on 2026-05-20

About

Identifies the successful deployment of a high-risk Azure Virtual Machine extension by an interactive user principal. Attackers with privileged Azure RBAC roles can abuse VM extensions such as VMAccess, CustomScriptExtension, and RunCommand to execute arbitrary code, create backdoor accounts, harvest credentials, and establish persistence on Azure-hosted virtual machines without requiring direct network access to the VM.
Tags
Domain: CloudDomain: EndpointData Source: AzureData Source: Azure Activity LogsUse Case: Threat DetectionTactic: PersistenceTactic: Defense EvasionTactic: ExecutionLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

Account Manipulation (T1098)(external, opens in a new tab or window)

Execution (TA0002)(external, opens in a new tab or window)

Cloud Administration Command (T1651)(external, opens in a new tab or window)

Defense Evasion (TA0005)(external, opens in a new tab or window)

Modify Cloud Compute Infrastructure (T1578)(external, opens in a new tab or window)

False Positive Examples
Legitimate administrators and automation may deploy Custom Script, Run Command, DSC, or monitoring extensions during provisioning, patching, or guest configuration. Baseline expected principals, VMs, and extension types before tuning exclusions.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-azure.activitylogs-*
Related Integrations

azure(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset:azure.activitylogs and
azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE" and
azure.activitylogs.identity.authorization.evidence.principal_type:User and
event.outcome:(success or Success) and
azure.resource.id:(
    *VMACCESSAGENT* or
    *CUSTOMSCRIPTEXTENSION* or
    *RUNCOMMANDWINDOWS* or
    *RUNCOMMANDLINUX* or
    */DSC/* or
    *MICROSOFTMONITORINGAGENT*
)

Install detection rules in Elastic Security

Detect Azure VM Extension Deployment by User in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).