Detect executable drops via Azure custom script extension
Detect Executable Drop Via Azure
Query
// Executable extensions we want to flag (you can also add .ps1 and .sh)
let win_executable_extensions = dynamic([".dll", ".exe", ".msi", ".bat", ".cmd", ".com", ".vbs", ".wsf", ".scr", ".cpl"]);
DeviceFileEvents
| where TimeGenerated > ago(1h)
// Search for file created events by Arc Custom Script Handler
| where ActionType == "FileCreated"
| where InitiatingProcessFileName =~ "customscripthandler.exe"
// Get the file type
| extend FileType = tostring(parse_json(AdditionalFields).FileType)
// Flag on extension or executable file type
| where FileName has_any (win_executable_extensions) or
FileType contains "Executable"About this query
Explanation
This query is designed to detect potentially malicious activities involving the Azure Custom Script Extension service. Here's a simplified breakdown:
-
Purpose: The query aims to identify when executable files are being dropped onto a machine via the Azure Custom Script Extension. This could be a sign of malicious activity, such as an attacker attempting to deploy malware using a compromised cloud admin account.
-
Techniques Monitored: It focuses on two specific MITRE ATT&CK techniques:
- T1021.008: Direct Cloud VM Connections, which involves connecting directly to cloud virtual machines.
- T1651: Cloud Administration Command, which involves using cloud administration tools to execute commands.
-
Detection Logic:
- The query looks at file creation events within the last hour.
- It specifically checks for files created by the "customscripthandler.exe" process.
- It flags files with certain executable extensions (like .exe, .dll, .bat, etc.) or those identified as executable file types.
-
Risk Mitigation: By flagging these events, the query helps mitigate the risk of unauthorized or malicious software being deployed via Azure's scripting capabilities.
-
Author and References: The query was authored by Robbe Van den Daele, and additional resources are provided for further reading.
In essence, this query is a security measure to monitor and alert on suspicious file activities that could indicate a security breach or misuse of cloud resources.
