<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Azure Virtual Machines CustomScript Extension - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/azure-virtual-machines-customscript-extension/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 17 Jul 2026 12:59:15 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/azure-virtual-machines-customscript-extension/feed.xml" rel="self" type="application/rss+xml"/><item><title>Suspicious Child Process Execution via Azure VM CustomScript Extension</title><link>https://feed.craftedsignal.io/briefs/2026-07-azure-customscript-suspicious-child/</link><pubDate>Fri, 17 Jul 2026 12:59:15 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-azure-customscript-suspicious-child/</guid><description>Attackers with access to an Azure subscription or VM management plane can leverage the Azure VM CustomScript extension to execute arbitrary code with SYSTEM privileges on Windows virtual machines, leading to various malicious activities such as reconnaissance, malware deployment, and persistence.</description><content:encoded><![CDATA[<p>Attackers who gain initial access to an Azure subscription or virtual machine management plane can exploit the Azure VM CustomScript extension to achieve highly privileged code execution on Windows hosts. This technique involves deploying an attacker-controlled script, which is then executed by the <code>CustomScriptHandler.exe</code> binary via the Azure Guest Agent, typically running with SYSTEM privileges. This capability represents a common and critical cloud-to-host pivot, allowing adversaries to establish a strong foothold within target environments. The detection mechanism focuses on identifying suspicious descendant processes launched by <code>CustomScriptHandler.exe</code>, specifically targeting known Living-Off-The-Land (LOLBins) used for execution, download, or discovery, as well as PowerShell commands exhibiting suspicious tradecraft (e.g., encoded commands, download cradles). This approach allows for robust detection even when attackers attempt to obfuscate their activities by manipulating the extension's resource name, which is not reflected in on-host telemetry.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains initial access to the target Azure subscription or VM management plane, potentially via compromised credentials, misconfigurations, or exploitation of other vulnerabilities.</li>
<li>The attacker creates or updates an Azure VM CustomScript Extension on a target Windows virtual machine, specifying a malicious script or command to be executed.</li>
<li>The Azure Guest Agent on the target VM receives the extension deployment command and downloads the attacker-supplied script or payload.</li>
<li>The <code>CustomScriptHandler.exe</code> process is launched by the Azure Guest Agent, executing the attacker's script with SYSTEM privileges.</li>
<li><code>CustomScriptHandler.exe</code> spawns a suspicious child process, which could be an execution-proxy (e.g., <code>mshta.exe</code>, <code>regsvr32.exe</code>), a download tool (<code>certutil.exe</code>, <code>bitsadmin.exe</code>), a script host (<code>wscript.exe</code>, <code>cscript.exe</code>), a discovery utility (<code>whoami.exe</code>, <code>net.exe</code>, <code>wmic.exe</code>), or a PowerShell instance running encoded commands or download cradles.</li>
<li>The malicious child process executes its payload, which can include further reconnaissance, downloading and installing additional malware, establishing persistence mechanisms, or directly impacting the system (e.g., data exfiltration, ransomware deployment).</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of the Azure VM CustomScript extension grants attackers arbitrary code execution with SYSTEM privileges on the affected Windows virtual machine. This level of access enables comprehensive control over the compromised system, allowing for complete data compromise, installation of persistence mechanisms, deployment of ransomware, exfiltration of sensitive information, or lateral movement within the network. The impact can extend beyond the single VM, potentially affecting an entire Azure environment if the compromised VM hosts critical services or provides a pivot point to other cloud resources. Organizations may face significant operational disruption, data breaches, and financial losses due to remediation efforts and regulatory fines.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Suspicious Child Process via Azure VM CustomScript Extension&quot; to your SIEM and configure <code>process_creation</code> logging for Windows endpoints to detect malicious execution.</li>
<li>Review all <code>process_creation</code> logs for <code>CustomScriptHandler.exe</code> spawning suspicious child processes, specifically those matching the LOLBin and PowerShell patterns outlined in the Sigma rule.</li>
<li>Correlate alerts with <code>MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE</code> events in <code>logs-azure.activitylogs-*</code> around the same time to identify the principal and source behind the CustomScript extension deployment.</li>
<li>For recurring, known automation activities identified as false positives, create specific exclusions for <code>process.command_line</code> or <code>process.args</code> rather than broad exclusions on process names or parent images.</li>
<li>If unauthorized activity is confirmed, remove the suspicious CustomScript extension, isolate the affected VM, rotate all credentials potentially compromised from the VM, and review RBAC permissions on the associated Azure subscription or resource group.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>windows</category><category>execution</category><category>cloud-to-host</category><category>azure</category><category>lolbin</category></item></channel></rss>