KQL Search

Query Details

HomeAI ToolsDevice Query

Detect Process Drop Via Azure Lateral Movement

Query

# *Detect process drops via Azure Custom Script Extension performing lateral movement*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1021.008 | Remote Services: Direct Cloud VM Connections | https://attack.mitre.org/techniques/T1021/008/ |
| T1651 | Cloud Administration Command | https://attack.mitre.org/techniques/T1651/ |
| T1021 | Remote Services | https://attack.mitre.org/techniques/T1021/ |


#### Description
This detection rule spots processes that where dropped via Azure Custom Script Extension on a machine and are now performing lateral movement. A common procedures for attackers when they compromised one machine is to move laterally to other machines via common protocols such as RDP, SSH, VNC, WMI, RPC, etc. It is not very common in an environment that Custom Script Extensions is being used for this. 

#### Risk
This detection rule tries to mitigate the risk of Azure and Azure Arc being used to compromise servers and move laterally through the environment.

#### Author <Optional>
- **Name:** Robbe Van den Daele
- **Github:** https://github.com/RobbeVandenDaele
- **Twitter:** https://x.com/RobbeVdDaele
- **LinkedIn:** https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- **Website:** https://hybridbrothers.com/

#### References
- https://thecollective.eu/

## Defender XDR
```kql
let process_drop_via_arc = (
    DeviceFileEvents
    | where TimeGenerated > ago(7d)
    // Search for file created events by Arc Custom Script Handler
    | where ActionType == "FileCreated"
    | where InitiatingProcessFileName =~ "customscripthandler.exe"
    | where isnotempty(SHA256)
    | distinct SHA256
);
DeviceNetworkEvents
| where TimeGenerated > ago(1h)
| join kind=inner process_drop_via_arc on $left.InitiatingProcessSHA256 == $right.SHA256
| where RemotePort in ("5985", "5986", "445", "3389", "22", "5900", "135")
| where ActionType in~ ("ConnectionSuccess", "ConnectionAttempt", 
"ConnectionFailed", "ConnectionRequest")
```

Explanation

This query is designed to detect suspicious activity involving Azure Custom Script Extensions that might indicate lateral movement within a network. Here's a simplified explanation:

  1. Purpose: The query aims to identify processes that were created using Azure Custom Script Extensions and are potentially being used for lateral movement across different machines in a network.

  2. Detection Method:

    • Step 1: It first looks for files that were created by the Azure Custom Script Handler (customscripthandler.exe) within the last 7 days. It identifies these files by their SHA256 hash.
    • Step 2: It then checks for any network connections initiated by these identified processes within the last hour.

  3. Indicators of Lateral Movement:

    • The query specifically looks for network connections on ports commonly used for remote services (e.g., RDP, SSH, VNC, WMI, RPC), which are typical avenues for lateral movement.
    • It considers various connection statuses such as successful connections, attempts, failures, and requests.

  4. Risk Mitigation: By detecting these activities, the query helps mitigate the risk of attackers using Azure and Azure Arc to compromise servers and move laterally within an environment.

In essence, this query helps security teams identify and respond to potential threats involving the misuse of Azure Custom Script Extensions for unauthorized lateral movement in a network.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: October 6, 2025

Tables

DeviceFileEventsDeviceNetworkEvents

Keywords

DevicesAzureCustomScriptExtensionLateralMovementProcessRemoteServicesCloudVMConnectionsCloudAdministrationCommand

Operators

let|where>ago===~isnotemptydistinctjoinkind=inneron$inin~

Actions