Detect process drops via Azure Custom Script Extension performing lateral movement
Detect Process Drop Via Azure Lateral Movement
Query
let process_drop_via_arc = (
DeviceFileEvents
| where TimeGenerated > ago(7d)
// Search for file created events by Arc Custom Script Handler
| where ActionType == "FileCreated"
| where InitiatingProcessFileName =~ "customscripthandler.exe"
| where isnotempty(SHA256)
| distinct SHA256
);
DeviceNetworkEvents
| where TimeGenerated > ago(1h)
| join kind=inner process_drop_via_arc on $left.InitiatingProcessSHA256 == $right.SHA256
| where RemotePort in ("5985", "5986", "445", "3389", "22", "5900", "135")
| where ActionType in~ ("ConnectionSuccess", "ConnectionAttempt",
"ConnectionFailed", "ConnectionRequest")About this query
Explanation
This query is designed to detect suspicious activity involving Azure Custom Script Extensions that might indicate lateral movement within a network. Here's a simplified explanation:
-
Purpose: The query aims to identify processes that were created using Azure Custom Script Extensions and are potentially being used for lateral movement across different machines in a network.
-
Detection Method:
- Step 1: It first looks for files that were created by the Azure Custom Script Handler (
customscripthandler.exe) within the last 7 days. It identifies these files by their SHA256 hash. - Step 2: It then checks for any network connections initiated by these identified processes within the last hour.
- Step 1: It first looks for files that were created by the Azure Custom Script Handler (
-
Indicators of Lateral Movement:
- The query specifically looks for network connections on ports commonly used for remote services (e.g., RDP, SSH, VNC, WMI, RPC), which are typical avenues for lateral movement.
- It considers various connection statuses such as successful connections, attempts, failures, and requests.
-
Risk Mitigation: By detecting these activities, the query helps mitigate the risk of attackers using Azure and Azure Arc to compromise servers and move laterally within an environment.
In essence, this query helps security teams identify and respond to potential threats involving the misuse of Azure Custom Script Extensions for unauthorized lateral movement in a network.
Details

Robbe Van den Daele
Released: October 6, 2025
Tables
Keywords
Operators