Microsoft.HybridCompute/machines/extensions/delete
Azure
Microsoft.HybridCompute/machines/extensions/delete
Event
Removes an extension from an Azure Arc-enabled server.
Security Context
- Disabling security monitoring tools eliminates visibility into adversary activity, allowing subsequent attack stages to proceed undetected.
Log Source
Azure Activity Log
Sample Event
Adversarial. Compromised user draco@fantasticlogs.cloud deletes the MDE.Linux (Microsoft Defender for Endpoint Linux agent) extension from the Arc-enabled on-prem server arc-onprem-pipeline-01. Removing the extension stops the host’s Defender telemetry — Draco can then run further actions on that host without endpoint detection. Maps to T1685 (Disable or Modify Tools).
{ "authorization": { "action": "Microsoft.HybridCompute/machines/extensions/delete", "scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.HybridCompute/machines/arc-onprem-pipeline-01/extensions/MDE.Linux" }, "caller": "draco@fantasticlogs.cloud", "channels": "Operation", "claims": { "aud": "https://management.core.windows.net/", "iss": "https://sts.windows.net/10000000-0000-4000-8000-000000000001/", "appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46", "ipaddr": "203.0.113.66", "name": "Draco Malfoy", "http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010", "http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud" }, "correlationId": "90000000-0000-4000-8000-000011010100", "description": "", "eventDataId": "90000000-0000-4000-8000-000011010101", "eventName": { "value": "EndRequest", "localizedValue": "End request" }, "category": { "value": "Administrative", "localizedValue": "Administrative" }, "eventTimestamp": "2026-04-15T23:18:08.7172938Z", "id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.HybridCompute/machines/arc-onprem-pipeline-01/extensions/MDE.Linux/events/90000000-0000-4000-8000-000011010101/ticks/638798312487172938", "level": "Informational", "operationId": "90000000-0000-4000-8000-000011010110", "operationName": { "value": "Microsoft.HybridCompute/machines/extensions/delete", "localizedValue": "Delete Machine Extension" }, "resourceGroupName": "rg-occamy-pipeline", "resourceProviderName": { "value": "Microsoft.HybridCompute", "localizedValue": "Microsoft.HybridCompute" }, "resourceType": { "value": "Microsoft.HybridCompute/machines/extensions", "localizedValue": "Microsoft.HybridCompute/machines/extensions" }, "resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.HybridCompute/machines/arc-onprem-pipeline-01/extensions/MDE.Linux", "status": { "value": "Succeeded", "localizedValue": "Succeeded" }, "subStatus": { "value": "Accepted", "localizedValue": "Accepted (HTTP Status Code: 202)" }, "submissionTimestamp": "2026-04-15T23:18:09.0218732Z", "subscriptionId": "20000000-0000-4000-8000-000000000001", "tenantId": "10000000-0000-4000-8000-000000000001", "properties": { "statusCode": "Accepted", "serviceRequestId": null, "eventCategory": "Administrative", "entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.HybridCompute/machines/arc-onprem-pipeline-01/extensions/MDE.Linux", "message": "Microsoft.HybridCompute/machines/extensions/delete", "hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001" }, "relatedEvents": [], "httpRequest": { "clientRequestId": "90000000-0000-4000-8000-000011010111", "clientIpAddress": "203.0.113.66", "method": "DELETE", "url": "https://management.azure.com/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.HybridCompute/machines/arc-onprem-pipeline-01/extensions/MDE.Linux?api-version=2024-07-10" }, "identity": null}MITRE ATT&CK Mapping
Tactics: Defense Impairment
Techniques:
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...