Microsoft.Compute/virtualMachines/write (CustomScriptExtension)
Event
Creates or updates an Azure VM with a Custom Script Extension, executing a script on the VM at provisioning time.
Security Context
- Command execution capabilities can be leveraged by adversaries to run arbitrary scripts and tools within the cloud environment.
Log Source
Azure Activity Log
Sample Event
MITRE ATT&CK Mapping
Tactics: Execution Persistence
Techniques:
- T1059 — Command and Scripting Interpreter — Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms.
- T1546 — Event Triggered Execution — Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries.