KQL Search

Query Details

HomeAI ToolsDevice Query

Malware C2 Comms Over Azure Blob Metadata

Query

// Detect Malware C2 Comms over Azure Blob Metadata
// https://security.microsoft.com/threatanalytics3/8d8a9fa0-4408-47be-8a07-7ce3d21eb827/analystreport

DeviceNetworkEvents
| where Timestamp > ago(1h)
| where RemoteUrl has ".blob.core.windows.net"
| where InitiatingProcessCommandLine has "comp=metadata"

Explanation

This query is designed to detect potential malware communication with command and control (C2) servers using Azure Blob storage metadata. Here's a simple breakdown of what it does:

  1. Data Source: It examines network events from devices (DeviceNetworkEvents).

  2. Time Frame: It focuses on events that occurred within the last hour (Timestamp > ago(1h)).

  3. Targeted URLs: It filters for network events where the remote URL includes ".blob.core.windows.net", which is a domain associated with Azure Blob storage.

  4. Command Line Indicator: It further narrows down the events to those where the command line of the initiating process includes "comp=metadata". This suggests that the process is accessing metadata, which could be indicative of suspicious activity related to malware communication.

Overall, the query is looking for signs of malware that might be using Azure Blob storage as a means to communicate with its operators by accessing metadata.

Details

Steven Lim profile picture

Steven Lim

Released: May 21, 2025

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsTimestampRemoteUrlInitiatingProcessCommandLine

Operators

DeviceNetworkEvents|whereTimestamp>ago()hasRemoteUrlInitiatingProcessCommandLine

Actions