AZT301.3 - Virtual Machine Scripting: Desired State Configuration#

By utilizing the 'Desired State Configuration extension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM.

Resource

Virtual Machine
Virtual Machine Scale Sets

Actions

Microsoft.Compute/virtualMachines/extensions/*
Microsoft.Compute/virtualMachines/write

Examples

Az PowerShellAzure CLIAzure REST APIAzure Portal

Set-AzVMDscExtension

az vm extension set

PUT https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{rg name}/providers/Microsoft.Compute/virtualMachines/{vm name]/extensions/DSC?api-version=2022-03-01

dsc

Detections

Logs#

Data Source	Operation Name	Action/On-Disk Location	Log Provider
Resource	Create or Update Virtual Machine Extension	Microsoft.Compute/virtualMachines/extensions/write	AzureActivity
On-Resource File	File Creation	C:\Packages\Plugins\Microsoft.Powershell.DSC\2.83.2.0\Status	Event

Queries#

Platform	Query
Log Analytics	`let timeframe = toscalar(AzureActivity \| where OperationNameValue == 'MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE' and Properties_d has 'Microsoft.Powershell.DSC' \| distinct TimeGenerated); Event \| where EventID == '4104' and ParameterXml has 'Microsoft.Powershell.DSC' and RenderedDescription has '.ps1' \| where (TimeGenerated - timeframe) <= 1m`
Log Analytics	`AzureActivity \| where OperationNameValue == 'MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE' and Properties_d has 'Microsoft.Powershell.DSC'`

Azure Monitor Alert#

For resources with Azure Monitor Agent installed

For resources without Azure Monitor Agent installed

Additional Resources

https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-overview