Skip to content

AZT301.2 - Virtual Machine Scripting: CustomScriptExtension#

By utilizing the 'CustomScriptExtension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM.

Resource

  • Virtual Machine
  • Virtual Machine Scale Sets
  • Azure ARC

Actions

  • Microsoft.Compute/virtualMachines/extensions/*
  • Microsoft.Compute/virtualMachines/write

Detections

Detection Details#

The commands are stored as .PS1 files and deleted after running.

Logs#

Data Source Operation Name Action Log Location
Resource Create or Update Virtual Machine Extension Microsoft.Compute/virtualMachines/extensions/write Azure Activity Log
On-Resource File File Creation N/A C:\Packages\Plugins\Microsoft.Compute.CustomScriptExtension\1.9.5\Downloads
On-Resource File File Creation N/A C:\Packages\Plugins\Microsoft.Compute.CustomScriptExtension\1.9.5\Status

Queries#

   |where OperationNameValue=="Microsoft.Compute/virtualMachines/extensions/write"