Query Details

Detect process drops via Azure Custom Script Extension performing lateral movement

Detect Process Drop Via Azure Lateral Movement

Query

let process_drop_via_arc = (
    DeviceFileEvents
    | where TimeGenerated > ago(7d)
    // Search for file created events by Arc Custom Script Handler
    | where ActionType == "FileCreated"
    | where InitiatingProcessFileName =~ "customscripthandler.exe"
    | where isnotempty(SHA256)
    | distinct SHA256
);
DeviceNetworkEvents
| where TimeGenerated > ago(1h)
| join kind=inner process_drop_via_arc on $left.InitiatingProcessSHA256 == $right.SHA256
| where RemotePort in ("5985", "5986", "445", "3389", "22", "5900", "135")
| where ActionType in~ ("ConnectionSuccess", "ConnectionAttempt", 
"ConnectionFailed", "ConnectionRequest")

About this query

Explanation

This query is designed to detect suspicious activity involving Azure Custom Script Extensions that might indicate lateral movement within a network. Here's a simplified explanation:

  1. Purpose: The query aims to identify processes that were created using Azure Custom Script Extensions and are potentially being used for lateral movement across different machines in a network.

  2. Detection Method:

    • Step 1: It first looks for files that were created by the Azure Custom Script Handler (customscripthandler.exe) within the last 7 days. It identifies these files by their SHA256 hash.
    • Step 2: It then checks for any network connections initiated by these identified processes within the last hour.
  3. Indicators of Lateral Movement:

    • The query specifically looks for network connections on ports commonly used for remote services (e.g., RDP, SSH, VNC, WMI, RPC), which are typical avenues for lateral movement.
    • It considers various connection statuses such as successful connections, attempts, failures, and requests.
  4. Risk Mitigation: By detecting these activities, the query helps mitigate the risk of attackers using Azure and Azure Arc to compromise servers and move laterally within an environment.

In essence, this query helps security teams identify and respond to potential threats involving the misuse of Azure Custom Script Extensions for unauthorized lateral movement in a network.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: October 6, 2025

Tables

DeviceFileEventsDeviceNetworkEvents

Keywords

DevicesAzureCustomScriptExtensionLateralMovementProcessRemoteServicesCloudVMConnectionsAdministrationCommand

Operators

let|where>ago===~isnotemptydistinctjoinkind=inneron$inin~

MITRE Techniques

Actions

GitHub