AZT301.3 - Virtual Machine Scripting: Desired State Configuration

By utilizing the 'Desired State Configuration extension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM.

Resource

• Virtual Machine
• Virtual Machine Scale Sets

Actions

• Microsoft.Compute/virtualMachines/extensions/*
• Microsoft.Compute/virtualMachines/write

Examples

Az PowerShellAzure CLIAzure REST APIAzure Portal

Set-AzVMDscExtension

az vm extension set

PUT https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{rg name}/providers/Microsoft.Compute/virtualMachines/{vm name]/extensions/DSC?api-version=2022-03-01

Detections

Logs

Data Source	Operation Name	Action	Log Location
Resource	Create or Update Virtual Machine Extension	Microsoft.Compute/virtualMachines/extensions/write	Azure Activity Log
On-Resource File	File Creation	N/A	C:\Packages\Plugins\Microsoft.Powershell.DSC\2.83.2.0\Status

Queries

Log Analytics

   |where OperationNameValue=="Microsoft.Compute/virtualMachines/extensions/write"

Additional Resources

https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-overview