Azure VM Extension Deployment by Interactive User

Attackers with privileged Azure RBAC roles can abuse VM extensions such as VMAccess, CustomScriptExtension, and RunCommand to execute arbitrary code on Azure-hosted virtual machines. This can be achieved without direct network access to the VMs. The deployment of these extensions by an interactive user, as opposed to automated processes, raises the risk of malicious activity. This activity is performed using valid credentials and may evade traditional network-based security controls. The risk is further amplified by the potential for persistence, privilege escalation, and lateral movement within the Azure environment. Defenders need to monitor for anomalous extension deployments to detect and respond to potential compromises early in the attack lifecycle.

Attack Chain

1. An attacker gains initial access to an Azure account with sufficient RBAC permissions (e.g., Virtual Machine Contributor).
2. The attacker authenticates to the Azure Resource Manager API as a user principal.
3. The attacker deploys a malicious VM extension to a target Azure Virtual Machine using the MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE operation. This could be a CustomScriptExtension to execute arbitrary code.
4. The attacker leverages the deployed extension to execute commands on the target VM, potentially creating a new user account for persistence.
5. The extension may be used to harvest credentials stored on the VM, allowing the attacker to escalate privileges.
6. The attacker uses the harvested credentials or the newly created account to move laterally to other resources within the Azure environment.
7. The attacker attempts to disable or evade security controls on the VM to maintain access and avoid detection.
8. The attacker establishes persistent access to the Azure environment for long-term control and data exfiltration or further malicious activities.

Impact

Successful exploitation can lead to the compromise of Azure-hosted virtual machines, allowing attackers to execute arbitrary code, create backdoor accounts, harvest credentials, and establish persistence. This can result in data breaches, service disruption, and further lateral movement within the Azure environment. The lack of direct network access requirement for extension deployment makes this attack vector particularly stealthy and difficult to detect with traditional network-based security controls.

Recommendation

• Deploy the Sigma rule “Azure VM Extension Deployment by User” to your SIEM to detect suspicious deployments of high-risk VM extensions by interactive users.
• Investigate any alerts generated by the “Azure VM Extension Deployment by User” Sigma rule, focusing on the caller UPN, source IP, and the extension type deployed.
• Baseline expected principals, VMs, and extension types before tuning exclusions based on the false positives described in the brief.
• Review role assignments for principals on the subscription or resource group to identify potentially excessive permissions.
• Monitor Azure Activity Logs for MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE operations performed by user principals, filtering for high-risk extension families (VMAccess, Custom Script, Run Command, DSC, Microsoft Monitoring Agent).