Skip to content
TheCloud.Events

Microsoft.Compute/virtualMachines/extensions/write

CSP: Azure
Tactics:
Persistence Execution
Techniques:
T1059T1546
Tags:
Azure Compute

Event

Installs or updates a VM extension on an Azure virtual machine, which can run scripts or install software agents.

Security Context

  • Command execution capabilities can be leveraged by adversaries to run arbitrary scripts and tools within the cloud environment.

Log Source

Azure Activity Log

Sample Event

MITRE ATT&CK Mapping

Tactics: Persistence Execution

Techniques:
  • T1059 — Command and Scripting Interpreter — Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms.
  • T1546 — Event Triggered Execution — Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries.