Skip to content

Microsoft.HybridCompute/machines/extensions/delete

Azure

Microsoft.HybridCompute/machines/extensions/delete

service: Azure - Azure Arc
techniques:

Event

Removes an extension from an Azure Arc-enabled server.

Security Context

  • Disabling security monitoring tools eliminates visibility into adversary activity, allowing subsequent attack stages to proceed undetected.

Log Source

Azure Activity Log

Sample Event

Adversarial. Compromised user draco@fantasticlogs.cloud deletes the MDE.Linux (Microsoft Defender for Endpoint Linux agent) extension from the Arc-enabled on-prem server arc-onprem-pipeline-01. Removing the extension stops the host’s Defender telemetry — Draco can then run further actions on that host without endpoint detection. Maps to T1685 (Disable or Modify Tools).

{
"authorization": {
"action": "Microsoft.HybridCompute/machines/extensions/delete",
"scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.HybridCompute/machines/arc-onprem-pipeline-01/extensions/MDE.Linux"
},
"caller": "draco@fantasticlogs.cloud",
"channels": "Operation",
"claims": {
"aud": "https://management.core.windows.net/",
"iss": "https://sts.windows.net/10000000-0000-4000-8000-000000000001/",
"appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"ipaddr": "203.0.113.66",
"name": "Draco Malfoy",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010",
"http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud"
},
"correlationId": "90000000-0000-4000-8000-000011010100",
"description": "",
"eventDataId": "90000000-0000-4000-8000-000011010101",
"eventName": {
"value": "EndRequest",
"localizedValue": "End request"
},
"category": {
"value": "Administrative",
"localizedValue": "Administrative"
},
"eventTimestamp": "2026-04-15T23:18:08.7172938Z",
"id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.HybridCompute/machines/arc-onprem-pipeline-01/extensions/MDE.Linux/events/90000000-0000-4000-8000-000011010101/ticks/638798312487172938",
"level": "Informational",
"operationId": "90000000-0000-4000-8000-000011010110",
"operationName": {
"value": "Microsoft.HybridCompute/machines/extensions/delete",
"localizedValue": "Delete Machine Extension"
},
"resourceGroupName": "rg-occamy-pipeline",
"resourceProviderName": {
"value": "Microsoft.HybridCompute",
"localizedValue": "Microsoft.HybridCompute"
},
"resourceType": {
"value": "Microsoft.HybridCompute/machines/extensions",
"localizedValue": "Microsoft.HybridCompute/machines/extensions"
},
"resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.HybridCompute/machines/arc-onprem-pipeline-01/extensions/MDE.Linux",
"status": {
"value": "Succeeded",
"localizedValue": "Succeeded"
},
"subStatus": {
"value": "Accepted",
"localizedValue": "Accepted (HTTP Status Code: 202)"
},
"submissionTimestamp": "2026-04-15T23:18:09.0218732Z",
"subscriptionId": "20000000-0000-4000-8000-000000000001",
"tenantId": "10000000-0000-4000-8000-000000000001",
"properties": {
"statusCode": "Accepted",
"serviceRequestId": null,
"eventCategory": "Administrative",
"entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.HybridCompute/machines/arc-onprem-pipeline-01/extensions/MDE.Linux",
"message": "Microsoft.HybridCompute/machines/extensions/delete",
"hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001"
},
"relatedEvents": [],
"httpRequest": {
"clientRequestId": "90000000-0000-4000-8000-000011010111",
"clientIpAddress": "203.0.113.66",
"method": "DELETE",
"url": "https://management.azure.com/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.HybridCompute/machines/arc-onprem-pipeline-01/extensions/MDE.Linux?api-version=2024-07-10"
},
"identity": null
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...