Azure Suspicious VM Scale Set Extension Installation

Azure Suspicious VM Scale Set Extension Installation

Detection overview

Triggers

  • A Microsoft Entra Identity is using a highly permissive role within a Resource Group or Subscription scope to install and execute an extension within a VM Scale Set (VMSS) without explicit consent or an audit trail. This is unusual for the identity.

Possible Root Causes

  • Unauthorized Access: An attacker has gained access to a Microsoft Entra Identity and is using it to install extensions on VM Scale Sets without permission.
  • Misconfigured Security Settings: A Microsoft Entra Identity has been granted excessive permissions, allowing them to install extensions on VM Scale Sets.
  • Malware or Vulnerability Exploitation: An attacker is using malware or exploiting a vulnerability in the VM�s operating system to escalate privileges and install high-risk extensions.
  • Human Error: Mistakes during VM Scale Set management or maintenance have led to unintended installations.
  • Legitimate Administrative Action: A valid identity, which typically does not interact with VM Scale Set extensions, is installing an extension to fulfill a job function.

Business Impact

  • Data loss or corruption due to unauthorized access.
  • System compromise or ransomware attacks.
  • Unplanned changes, service disruptions, or downtime for critical services.
  • Compliance and regulatory issues due to inadequate security controls.

Steps to Verify

  • Investigate the user or service principal responsible for the deployment. Review the identity for any signs of unauthorized access or excessive privileges.
  • Analyze Extension Parameters: Examine the parameters used in the extension installation to identify potential security risks, such as the deletion of sensitive data.
  • Check Execution Time and Frequency: Review the Azure Activity Logs to verify if the suspicious extension installations are occurring within regular business hours or if multiple instances are occurring within a short timeframe.
  • Review VM Scale Set (VMSS) Configuration and Permissions: Ensure that the VMSS�s configuration and permissions align with organizational security policies.
  • Conduct a thorough security audit and risk assessment to identify vulnerabilities and implement necessary remediation actions.
Azure Suspicious VM Scale Set Extension Installation

Possible root causes

Malicious Detection

Benign Detection

Azure Suspicious VM Scale Set Extension Installation

Example scenarios

Azure Suspicious VM Scale Set Extension Installation

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Suspicious VM Scale Set Extension Installation

Steps to investigate

Azure Suspicious VM Scale Set Extension Installation

MITRE ATT&CK techniques covered

Azure Suspicious VM Scale Set Extension Installation

Related detections

No items found.

FAQs