{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/aadsshloginforlinux/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure VM","Azure VM scale set","CustomScript","DSC","AADSSHLoginForLinux"],"_cs_severities":["high"],"_cs_tags":["cloud","endpoint","azure","azure-activity-logs","threat-detection","execution","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis brief details a threat identified by Elastic, focusing on the abuse of Azure Virtual Machine (VM) and VM Scale Set (VMSS) extensions. Threat actors can perform create, read, update, or delete (CRUD) operations on these extensions, such as \u003ccode\u003eCustomScript\u003c/code\u003e or \u003ccode\u003eDesired State Configuration (DSC)\u003c/code\u003e, from an unusual source Autonomous System (AS) number. These extensions execute with high privileges (SYSTEM on Windows, root on Linux) on the guest operating system, making them a prime target for initial code execution, maintaining persistence, or defense evasion. This technique allows adversaries to run arbitrary commands, install malware, or modify system configurations without direct login, leveraging compromised Azure credentials or identities. The detection specifically targets activity originating from networks not historically associated with managing a given extension resource, while excluding benign first-party Microsoft automation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: Attacker obtains valid Azure credentials (e.g., user account, service principal) through methods such as phishing, credential stuffing, or exploiting a misconfiguration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation/Lateral Movement (Azure Plane)\u003c/strong\u003e: Attacker identifies a target Azure subscription or resource group with permissions to manage VM or VM scale set extensions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVM Extension CRUD Operation\u003c/strong\u003e: Attacker uses the compromised credentials to perform a \u003ccode\u003eWRITE\u003c/code\u003e (create/update), \u003ccode\u003eDELETE\u003c/code\u003e, or \u003ccode\u003eREAD\u003c/code\u003e operation against an Azure VM or VMSS extension. This operation originates from an AS number not typically observed for managing that specific resource.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Execution (Guest OS)\u003c/strong\u003e: If a \u003ccode\u003eWRITE\u003c/code\u003e operation is performed using extensions like \u003ccode\u003eCustomScript\u003c/code\u003e or \u003ccode\u003eDSC\u003c/code\u003e, the malicious script or command embedded in the extension definition is executed on the target VM's guest OS with SYSTEM (Windows) or root (Linux) privileges.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence/Defense Evasion\u003c/strong\u003e: The executed code establishes persistence mechanisms, such as new services, scheduled tasks, or modifying existing configurations, or removes security agents to evade detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInternal Reconnaissance \u0026amp; Data Exfiltration\u003c/strong\u003e: With high privileges on the VM, the attacker performs internal network reconnaissance, collects sensitive data, and prepares for exfiltration to attacker-controlled infrastructure.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact \u0026amp; Follow-on Activity\u003c/strong\u003e: The attacker might deploy ransomware, conduct further lateral movement across the internal network, or maintain long-term access for data theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of Azure VM extensions grants attackers SYSTEM or root-level privileges on target virtual machines, leading to severe consequences. This can result in unauthorized code execution, installation of persistent backdoors, and the ability to disable security controls. Organizations can face significant data breaches, potential ransomware deployment, and complete compromise of critical cloud infrastructure. The impact extends to business disruption, regulatory non-compliance, and substantial financial and reputational damage. While specific victim counts are not available for this general technique, highly privileged access on cloud assets is consistently associated with the most severe incident types.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM, focusing on Azure Activity Logs (\u003ccode\u003ecategory: cloud\u003c/code\u003e, \u003ccode\u003eproduct: azure\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEnable comprehensive logging for Azure Activity Logs across all subscriptions to capture \u003ccode\u003eMICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS\u003c/code\u003e events.\u003c/li\u003e\n\u003cli\u003eImplement a baseline of expected \u003ccode\u003esource.as.number\u003c/code\u003e values for all Azure VM/VMSS extension management activities and create an allowlist for known, legitimate ASNs (e.g., CI/CD pipelines, internal management networks).\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003eazure.activitylogs.identity.authorization.evidence.principal_id\u003c/code\u003e and \u003ccode\u003e...principal_type\u003c/code\u003e fields in alerts to determine the legitimacy and permissions of the principal performing the operation.\u003c/li\u003e\n\u003cli\u003eIntegrate endpoint detection and response (EDR) telemetry (e.g., \u003ccode\u003eprocess_creation\u003c/code\u003e events from \u003ccode\u003eWaAppAgent.exe\u003c/code\u003e or \u003ccode\u003ewalinuxagent\u003c/code\u003e) on Azure VMs to correlate with \u003ccode\u003eWRITE\u003c/code\u003e extension operations for script execution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-19T12:48:20Z","date_published":"2026-06-19T12:48:20Z","id":"https://feed.craftedsignal.io/briefs/2026-06-azure-vm-extension-crud-unusual-source/","summary":"Threat actors are performing create, read, update, or delete (CRUD) operations against Azure VM or VM Scale Set extensions (e.g., CustomScript, DSC) from an anomalous source Autonomous System (AS) number, enabling high-privilege code execution and persistence on guest operating systems (SYSTEM on Windows, root on Linux) by abusing compromised Azure identities.","title":"Azure VM Extension CRUD from Unusual Source ASN","url":"https://feed.craftedsignal.io/briefs/2026-06-azure-vm-extension-crud-unusual-source/"}],"language":"en","title":"CraftedSignal Threat Feed - AADSSHLoginForLinux","version":"https://jsonfeed.org/version/1.1"}