heroui logo

Suspicious Child Process via Azure VM CustomScript Extension

Elastic Detection Rules

View Source
Summary
This Elastic detection rule flags suspicious Windows child processes that execute under the Azure VM CustomScript extension handler (CustomScriptHandler.exe). Because the CustomScript extension can run attacker-supplied scripts as SYSTEM via the guest agent and its resource name can be adversary-controlled, the rule anchors on the handler binary’s path (Microsoft.Compute.CustomScriptExtension/.../CustomScriptHandler.exe) to avoid renaming-based evasion. It triggers when any descendant process in the CustomScriptHandler.exe process tree launches a known LOLBin or suspicious PowerShell activity, rather than simply any PowerShell or CMD usage. The query sequences process start events on Windows endpoints, matching the CustomScriptHandler.exe start and then filtering for descendants that resemble execution proxies (mshta, regsvr32, rundll32, installutil, msbuild), download utilities (certutil with urlcache/encode/decode, bitsadmin), script hosts (wscript, cscript), or discovery utilities (whoami, net, nltest, wmic, systeminfo, quser, arp, tasklist), as well as PowerShell commands with encoded content or download/execute patterns (EncodedCommand, IEX, IEX with I/O redirection, Start-BitsTransfer, etc.). The rule maps to MITRE ATT&CK techniques for Execution (T1059 and subtechniques, including PowerShell T1059.001), System Binary Proxy Execution (T1218), and Cloud Administration Command (T1651), and ties to the Execution and Defense Evasion tactics. It uses process ancestry (process.Ext.ancestry) to detect malicious activity anywhere in the subtree, not just direct children, and timestamps events with a 1-minute window after the extension handler starts. The rule recommends cross-correlation with Azure control-plane logs (e.g., MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE) and enrichment with extension settings to assess intent. Remediation steps include removing the extension, isolating the host, rotating credentials, and reviewing RBAC; false positives may arise from legitimate automation or bootstrap activities that legitimately use these utilities, in which case narrow, command- or argument-scoped exclusions are preferred over broad host-wide allowances.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
  • Image
  • Script
ATT&CK Techniques
  • T1651
  • T1059
  • T1059.001
  • T1059.003
  • T1218
Created: 2026-06-17