Skip to content

AZT301.2 - Virtual Machine Scripting: CustomScriptExtension#

By utilizing the 'CustomScriptExtension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM.


  • Virtual Machine
  • Virtual Machine Scale Sets
  • Azure ARC


  • Microsoft.Compute/virtualMachines/extensions/*
  • Microsoft.Compute/virtualMachines/write


Detection Details#

The commands are stored as .PS1 files and deleted after running.


Data Source Operation Name Action/On-Disk Location Log Provider
Resource Create or Update Virtual Machine Extension Microsoft.Compute/virtualMachines/extensions/write AzureActivity
On-Resource File File Creation C:\Packages\Plugins\Microsoft.Compute.CustomScriptExtension\1.9.5\Downloads Event
On-Resource File File Creation C:\Packages\Plugins\Microsoft.Compute.CustomScriptExtension\1.9.5\Status Event


Platform Query
Log Analytics let timeframe = toscalar(AzureActivity | where OperationNameValue == 'MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE' and Properties has 'CustomScriptExtension' | distinct TimeGenerated); Event | where EventID == '4104' | where (timeframe - TimeGenerated) <= 1m
Log Analytics AzureActivity | where OperationNameValue == 'MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE' and Properties has 'CustomScriptExtension'

Azure Monitor Alert#

For resources with Azure Monitor Agent installed

Deploy to Azure

For resources without Azure Monitor Agent installed

Deploy to Azure