Query Details

Detect executable drops via Azure custom script extension

Detect Executable Drop Via Azure

Query

// Executable extensions we want to flag (you can also add .ps1 and .sh)
let win_executable_extensions = dynamic([".dll", ".exe", ".msi", ".bat", ".cmd", ".com", ".vbs", ".wsf", ".scr", ".cpl"]);
DeviceFileEvents
| where TimeGenerated > ago(1h)
// Search for file created events by Arc Custom Script Handler
| where ActionType == "FileCreated"
| where InitiatingProcessFileName =~ "customscripthandler.exe"
// Get the file type
| extend FileType = tostring(parse_json(AdditionalFields).FileType)
// Flag on extension or executable file type
| where FileName has_any (win_executable_extensions) or 
    FileType contains "Executable"

About this query

Explanation

This query is designed to detect potentially malicious activities involving the Azure Custom Script Extension service. Here's a simplified breakdown:

  1. Purpose: The query aims to identify when executable files are being dropped onto a machine via the Azure Custom Script Extension. This could be a sign of malicious activity, such as an attacker attempting to deploy malware using a compromised cloud admin account.

  2. Techniques Monitored: It focuses on two specific MITRE ATT&CK techniques:

    • T1021.008: Direct Cloud VM Connections, which involves connecting directly to cloud virtual machines.
    • T1651: Cloud Administration Command, which involves using cloud administration tools to execute commands.
  3. Detection Logic:

    • The query looks at file creation events within the last hour.
    • It specifically checks for files created by the "customscripthandler.exe" process.
    • It flags files with certain executable extensions (like .exe, .dll, .bat, etc.) or those identified as executable file types.
  4. Risk Mitigation: By flagging these events, the query helps mitigate the risk of unauthorized or malicious software being deployed via Azure's scripting capabilities.

  5. Author and References: The query was authored by Robbe Van den Daele, and additional resources are provided for further reading.

In essence, this query is a security measure to monitor and alert on suspicious file activities that could indicate a security breach or misuse of cloud resources.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: October 6, 2025

Tables

DeviceFileEvents

Keywords

DeviceFileEvents

Operators

letdynamic>ago|where===~extendtostringparse_jsonhas_anyorcontains

MITRE Techniques

Actions

GitHub