Azure Suspicious VM Extension Installation

Azure Suspicious VM Extension Installation

Detection overview

Triggers

  • A Microsoft Entra Identity is using a highly permissive role within a Resource Group or Subscription scope to install and execute a VM extension without explicit consent or an audit trail. This is unusual for the identity.

Possible Root Causes

  • Unauthorized Access: An attacker has gained access to a Microsoft Entra Identity and is using it to install a VM extension without permission.
  • Misconfigured Security Settings: A Microsoft Entra Identity has been granted excessive permissions, allowing them to install VM extensions.
  • Exploitation of a Vulnerability: A security flaw in Azure�s VM extension deployment process is being leveraged.
  • Human Error: Mistakes during VM management or maintenance have led to unintended installations.
  • Legitimate Activity: A valid identity, which typically does not interact with VM extensions, is installing an extension to fulfill a job function.

Business Impact

  • Data loss or corruption due to unauthorized access.
  • System compromise or ransomware attacks.
  • Unplanned changes, service disruptions, or downtime for critical services.
  • Compliance and regulatory issues due to inadequate security controls.

Steps to Verify

  • Review Azure Activity Logs for other suspicious extension deployments.
  • Investigate the user or service principal responsible for the deployment.
  • Validate the VM extension configuration and associated permissions.
  • Analyze network traffic and system logs for additional indicators of compromise (IOCs).
  • Conduct a thorough security audit and risk assessment to identify vulnerabilities and implement necessary remediation actions.
Azure Suspicious VM Extension Installation

Possible root causes

Malicious Detection

Benign Detection

Azure Suspicious VM Extension Installation

Example scenarios

Azure Suspicious VM Extension Installation

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Suspicious VM Extension Installation

Steps to investigate

Azure Suspicious VM Extension Installation

MITRE ATT&CK techniques covered

Azure Suspicious VM Extension Installation

Related detections

No items found.

FAQs