[New Rule] Unusual Azure VM Extension Installed; Suspicious Child Process via Azure VM CustomScript Extension#6277
Conversation
Rule: New - GuidelinesThese guidelines serve as a reminder set of considerations when proposing a new rule. Documentation and Context
Rule Metadata Checks
New BBR Rules
Testing and Validation
|
…ibling; adjusts the intent of unusual extension
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
There was a problem hiding this comment.
Pull request overview
This PR adds two new detection rules focused on Azure VM extension abuse: one control-plane rule that surfaces first-seen VM extension instance names per host from Azure Activity Logs, and one endpoint rule that detects suspicious process execution associated with the Azure CustomScript extension handler on Windows.
Changes:
- Adds an ES|QL rule to alert on first-seen
(VM, extension instance name)pairs inlogs-azure.activitylogs-*. - Adds an EQL rule to detect suspicious Windows child process execution tied to
CustomScriptHandler.exe. - Includes investigation guides and ATT&CK mappings for both rules.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 10 comments.
| File | Description |
|---|---|
| rules/windows/execution_azure_customscript_extension_suspicious_descendant.toml | New Windows endpoint EQL rule for suspicious process execution associated with Azure CustomScript extension activity. |
| rules/integrations/azure/execution_azure_vm_extension_unusual_for_host.toml | New Azure Activity Logs ES |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
|
⛔️ Test failed Results
|
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
| // new terms emulation: fire only when the (host, extension name) pair is the single occurrence in the | ||
| // 7-day window (event_count == 1) and it is recent (within the schedule interval + ingest-lag buffer) | ||
| | EVAL Esql.recent_minutes = DATE_DIFF("minute", Esql.first_time_seen, NOW()) | ||
| | WHERE Esql.recent_minutes <= 10 AND Esql.event_count == 1 |
There was a problem hiding this comment.
Just a comment: an attacker who deploys and then modifies their extension only generates one alert at deploy time. Will this be caught in a different rule?
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
Pull Request
Issue link(s):
Summary - What I changed
Adds detection for extensions installed on Azure VMs that are not native (default) and have never been seen before
azure.resource.namein the tenant. Extensions are post-install scripts that execute commands at higher system level privileges. These have historically been abused by adversaries post serial connection to VMs.How To Test
Query can be used in TRADE stack and other telemetry stacks.
Checklist
bug,enhancement,schema,maintenance,Rule: New,Rule: Deprecation,Rule: Tuning,Hunt: New, orHunt: Tuningso guidelines can be generatedmeta:rapid-mergelabel if planning to merge within 24 hoursContributor checklist