Vectra AI Threat Briefing: How Attackers Use Shodan & FOFA

Vectra AI Threat Briefing: How Attackers Use Shodan & FOFA >

Vectra AI Japan、ITR発行の最新レポート内「NDR市場」にて国内トップシェアを獲得
詳細を見る
Hamburger icon top line
Hamburger icon middle line
Hamburger icon bottom line
Back to all detections

Azure Suspicious VM Scale Set Extension Installation

Azure Suspicious VM Scale Set Extension Installation
Overview
Possible Root Causes
Example Scenarios
Business Impact
Steps to Investigate
MITRE ATT&CK Techniques
Related Detections
FAQ

Detection overview

Triggers

  • A Microsoft Entra Identity is using a highly permissive role within a Resource Group or Subscription scope to install and execute an extension within a VM Scale Set (VMSS) without explicit consent or an audit trail. This is unusual for the identity.

Possible Root Causes

  • Unauthorized Access: An attacker has gained access to a Microsoft Entra Identity and is using it to install extensions on VM Scale Sets without permission.
  • Misconfigured Security Settings: A Microsoft Entra Identity has been granted excessive permissions, allowing them to install extensions on VM Scale Sets.
  • Malware or Vulnerability Exploitation: An attacker is using malware or exploiting a vulnerability in the VM�s operating system to escalate privileges and install high-risk extensions.
  • Human Error: Mistakes during VM Scale Set management or maintenance have led to unintended installations.
  • Legitimate Administrative Action: A valid identity, which typically does not interact with VM Scale Set extensions, is installing an extension to fulfill a job function.

Business Impact

  • Data loss or corruption due to unauthorized access.
  • System compromise or ransomware attacks.
  • Unplanned changes, service disruptions, or downtime for critical services.
  • Compliance and regulatory issues due to inadequate security controls.

Steps to Verify

  • Investigate the user or service principal responsible for the deployment. Review the identity for any signs of unauthorized access or excessive privileges.
  • Analyze Extension Parameters: Examine the parameters used in the extension installation to identify potential security risks, such as the deletion of sensitive data.
  • Check Execution Time and Frequency: Review the Azure Activity Logs to verify if the suspicious extension installations are occurring within regular business hours or if multiple instances are occurring within a short timeframe.
  • Review VM Scale Set (VMSS) Configuration and Permissions: Ensure that the VMSS�s configuration and permissions align with organizational security policies.
  • Conduct a thorough security audit and risk assessment to identify vulnerabilities and implement necessary remediation actions.
Azure Suspicious VM Scale Set Extension Installation

Possible root causes

Malicious Detection

Benign Detection

Azure Suspicious VM Scale Set Extension Installation

Example scenarios

Azure Suspicious VM Scale Set Extension Installation

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Suspicious VM Scale Set Extension Installation

Steps to investigate

Azure Suspicious VM Scale Set Extension Installation

MITRE ATT&CK techniques covered

Cloud Administration Command

T1651

Create or Modify System Process

T1543
Azure Suspicious VM Scale Set Extension Installation

Related detections

No items found.

See our detections in action

Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.

Don't just read about the possibilities – experience them.

Launch the free tour
Ask for a custom demo

FAQs