Query Details
Detect Executable Drop Via Azure
Query
# *Detect executable drops via Azure custom script extension*
## Query Information
#### MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
| --- | --- | --- |
| T1021.008 | Remote Services: Direct Cloud VM Connections | https://attack.mitre.org/techniques/T1021/008/ |
| T1651 | Cloud Administration Command | https://attack.mitre.org/techniques/T1651/ |
#### Description
This detection rule flags when the Custom Script extension service on a machine is dropping executable files. This might indicate that an actor is trying to drop malware or beacons via a compromised cloud admin account. In the most legitimate cases administrators are pushing only PowerShell or Shell scripts, although these can also contain malicious content. Be aware of this gap in the below detection rule.
#### Risk
This rule triest to mitigate the risk of malicious actors trying to deploy malware or beacons via Azure or Azure Arc Custom Script extensions.
#### Author <Optional>
- **Name:** Robbe Van den Daele
- **Github:** https://github.com/RobbeVandenDaele
- **Twitter:** https://x.com/RobbeVdDaele
- **LinkedIn:** https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- **Website:** https://hybridbrothers.com/
#### References
- https://thecollective.eu/
## Defender XDR
```kql
// Executable extensions we want to flag (you can also add .ps1 and .sh)
let win_executable_extensions = dynamic([".dll", ".exe", ".msi", ".bat", ".cmd", ".com", ".vbs", ".wsf", ".scr", ".cpl"]);
DeviceFileEvents
| where TimeGenerated > ago(1h)
// Search for file created events by Arc Custom Script Handler
| where ActionType == "FileCreated"
| where InitiatingProcessFileName =~ "customscripthandler.exe"
// Get the file type
| extend FileType = tostring(parse_json(AdditionalFields).FileType)
// Flag on extension or executable file type
| where FileName has_any (win_executable_extensions) or
FileType contains "Executable"
```Explanation
This query is designed to detect potentially malicious activities involving the Azure Custom Script Extension service. Here's a simplified breakdown:
-
Purpose: The query aims to identify when executable files are being dropped onto a machine via the Azure Custom Script Extension. This could be a sign of malicious activity, such as an attacker attempting to deploy malware using a compromised cloud admin account.
-
Techniques Monitored: It focuses on two specific MITRE ATT&CK techniques:
- T1021.008: Direct Cloud VM Connections, which involves connecting directly to cloud virtual machines.
- T1651: Cloud Administration Command, which involves using cloud administration tools to execute commands.
-
Detection Logic:
- The query looks at file creation events within the last hour.
- It specifically checks for files created by the "customscripthandler.exe" process.
- It flags files with certain executable extensions (like .exe, .dll, .bat, etc.) or those identified as executable file types.
-
Risk Mitigation: By flagging these events, the query helps mitigate the risk of unauthorized or malicious software being deployed via Azure's scripting capabilities.
-
Author and References: The query was authored by Robbe Van den Daele, and additional resources are provided for further reading.
In essence, this query is a security measure to monitor and alert on suspicious file activities that could indicate a security breach or misuse of cloud resources.
Details
Robbe Van den Daele
Released: October 6, 2025
Tables
Keywords
Operators