{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cloud-to-host/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Virtual Machines CustomScript Extension"],"_cs_severities":["medium"],"_cs_tags":["windows","execution","cloud-to-host","azure","lolbin"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers who gain initial access to an Azure subscription or virtual machine management plane can exploit the Azure VM CustomScript extension to achieve highly privileged code execution on Windows hosts. This technique involves deploying an attacker-controlled script, which is then executed by the \u003ccode\u003eCustomScriptHandler.exe\u003c/code\u003e binary via the Azure Guest Agent, typically running with SYSTEM privileges. This capability represents a common and critical cloud-to-host pivot, allowing adversaries to establish a strong foothold within target environments. The detection mechanism focuses on identifying suspicious descendant processes launched by \u003ccode\u003eCustomScriptHandler.exe\u003c/code\u003e, specifically targeting known Living-Off-The-Land (LOLBins) used for execution, download, or discovery, as well as PowerShell commands exhibiting suspicious tradecraft (e.g., encoded commands, download cradles). This approach allows for robust detection even when attackers attempt to obfuscate their activities by manipulating the extension's resource name, which is not reflected in on-host telemetry.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target Azure subscription or VM management plane, potentially via compromised credentials, misconfigurations, or exploitation of other vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or updates an Azure VM CustomScript Extension on a target Windows virtual machine, specifying a malicious script or command to be executed.\u003c/li\u003e\n\u003cli\u003eThe Azure Guest Agent on the target VM receives the extension deployment command and downloads the attacker-supplied script or payload.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eCustomScriptHandler.exe\u003c/code\u003e process is launched by the Azure Guest Agent, executing the attacker's script with SYSTEM privileges.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eCustomScriptHandler.exe\u003c/code\u003e spawns a suspicious child process, which could be an execution-proxy (e.g., \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003eregsvr32.exe\u003c/code\u003e), a download tool (\u003ccode\u003ecertutil.exe\u003c/code\u003e, \u003ccode\u003ebitsadmin.exe\u003c/code\u003e), a script host (\u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003ecscript.exe\u003c/code\u003e), a discovery utility (\u003ccode\u003ewhoami.exe\u003c/code\u003e, \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003ewmic.exe\u003c/code\u003e), or a PowerShell instance running encoded commands or download cradles.\u003c/li\u003e\n\u003cli\u003eThe malicious child process executes its payload, which can include further reconnaissance, downloading and installing additional malware, establishing persistence mechanisms, or directly impacting the system (e.g., data exfiltration, ransomware deployment).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the Azure VM CustomScript extension grants attackers arbitrary code execution with SYSTEM privileges on the affected Windows virtual machine. This level of access enables comprehensive control over the compromised system, allowing for complete data compromise, installation of persistence mechanisms, deployment of ransomware, exfiltration of sensitive information, or lateral movement within the network. The impact can extend beyond the single VM, potentially affecting an entire Azure environment if the compromised VM hosts critical services or provides a pivot point to other cloud resources. Organizations may face significant operational disruption, data breaches, and financial losses due to remediation efforts and regulatory fines.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Suspicious Child Process via Azure VM CustomScript Extension\u0026quot; to your SIEM and configure \u003ccode\u003eprocess_creation\u003c/code\u003e logging for Windows endpoints to detect malicious execution.\u003c/li\u003e\n\u003cli\u003eReview all \u003ccode\u003eprocess_creation\u003c/code\u003e logs for \u003ccode\u003eCustomScriptHandler.exe\u003c/code\u003e spawning suspicious child processes, specifically those matching the LOLBin and PowerShell patterns outlined in the Sigma rule.\u003c/li\u003e\n\u003cli\u003eCorrelate alerts with \u003ccode\u003eMICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\u003c/code\u003e events in \u003ccode\u003elogs-azure.activitylogs-*\u003c/code\u003e around the same time to identify the principal and source behind the CustomScript extension deployment.\u003c/li\u003e\n\u003cli\u003eFor recurring, known automation activities identified as false positives, create specific exclusions for \u003ccode\u003eprocess.command_line\u003c/code\u003e or \u003ccode\u003eprocess.args\u003c/code\u003e rather than broad exclusions on process names or parent images.\u003c/li\u003e\n\u003cli\u003eIf unauthorized activity is confirmed, remove the suspicious CustomScript extension, isolate the affected VM, rotate all credentials potentially compromised from the VM, and review RBAC permissions on the associated Azure subscription or resource group.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-17T12:59:15Z","date_published":"2026-07-17T12:59:15Z","id":"https://feed.craftedsignal.io/briefs/2026-07-azure-customscript-suspicious-child/","summary":"Attackers with access to an Azure subscription or VM management plane can leverage the Azure VM CustomScript extension to execute arbitrary code with SYSTEM privileges on Windows virtual machines, leading to various malicious activities such as reconnaissance, malware deployment, and persistence.","title":"Suspicious Child Process Execution via Azure VM CustomScript Extension","url":"https://feed.craftedsignal.io/briefs/2026-07-azure-customscript-suspicious-child/"}],"language":"en","title":"CraftedSignal Threat Feed - Cloud-to-Host","version":"https://jsonfeed.org/version/1.1"}