Query Details

Azure ARC Related Persistence Detection

Nf Ttp T1543 Scattered Spider Azure Arc Persistence

Query

// Unexpected installation of azure arc agent - service installation
let ServiceNames = datatable(name:string)["himds.exe","gc_arc_service.exe","gc_extension_service.exe"];
DeviceEvents
| where ActionType =~ "ServiceInstalled"
| extend ServiceName = tostring(parse_json(AdditionalFields).ServiceName)
| extend ServiceAccount = tostring(parse_json(AdditionalFields).ServiceAccount)
| extend ServiceStartType = tostring(parse_json(AdditionalFields).ServiceStartType)
| extend ServiceType = tostring(parse_json(AdditionalFields).ServiceType)
| where ServiceName has_any (ServiceNames)

About this query

Explanation

The query is designed to detect the unexpected installation of Azure ARC agents, which can be used by attackers to maintain long-term access to compromised systems. The first query looks for service installations related to Azure ARC agents, while the second query identifies specific file path creations associated with these agents. The goal is to identify any unauthorized installation of Azure ARC agents and mitigate the risk of attackers gaining control over a wider network.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: January 28, 2024

Tables

DeviceEventsDeviceFileEvents

Keywords

DevicesIntuneUserAzure ARCPersistence DetectionMITRE ATT&CKCreate or Modify System ProcessServiceInstalledServiceNameServiceAccountServiceStartTypeServiceTypeFileCreatedFolderPath

Operators

whereextenddatatableparse_jsontostringhas_any

MITRE Techniques

Actions

GitHub