Adversaries may use Azure App Services to host malware-infected files, leveraging the platform’s infrastructure to persist or exfiltrate data. SOC teams should proactively hunt for this behavior to identify potential compromise of cloud-hosted applications and prevent data exfiltration or command-and-control communication.
KQL Query
let timeframe = ago(1d);
AppServiceAntivirusScanAuditLogs
| where NumberOfInfectedFiles > 0
| extend timestamp = TimeGenerated
id: 9d0295ee-cb75-4f2c-9952-e5acfbb67036
name: AppServices AV Scan with Infected Files
description: |
'Identifies if an AV scan finds infected files in Azure App Services.'
severity: Informational
requiredDataConnectors: []
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 1
query: |
let timeframe = ago(1d);
AppServiceAntivirusScanAuditLogs
| where NumberOfInfectedFiles > 0
| extend timestamp = TimeGenerated
entityMappings:
- entityType: Host
fieldMappings:
- identifier: AzureID
columnName: _ResourceId
version: 1.0.3
kind: Scheduled
metadata:
source:
kind: Community
author:
name: SecurityJedi
support:
tier: Community
categories:
domains: [ "Security - Others", "Platform" ]| Sentinel Table | Notes |
|---|---|
AuditLogs | Ensure this data connector is enabled |
Scenario: Scheduled AV Scan by Azure Security Center
Description: Azure Security Center performs a scheduled AV scan of App Services, which may detect benign files due to false positives or outdated signature databases.
Filter/Exclusion: Exclude events where the source is Azure Security Center and the scan is part of a known scheduled maintenance window.
Scenario: Admin Task to Clean Malware on App Service
Description: An administrator manually runs an AV scan using tools like Microsoft Defender for Cloud or Windows Defender to clean up a known malicious file.
Filter/Exclusion: Exclude events where the user is a privileged admin and the action is associated with a known cleanup task (e.g., CleanupMalware-2024-05-01).
Scenario: Integration with Third-Party AV Tools
Description: A third-party AV tool (e.g., Bitdefender, Kaspersky, or Malwarebytes) is integrated with Azure App Services and triggers a scan, falsely identifying legitimate files as infected.
Filter/Exclusion: Exclude events where the AV tool is whitelisted or the scan is initiated by a known integration (e.g., Bitdefender-Integration-Scan).
Scenario: Automated Backup Job with Embedded Malware Signatures
Description: A backup job using Azure Backup or Veeam includes files that were previously flagged by an AV tool, leading to false positives during the scan.
Filter/Exclusion: Exclude events where the file path matches backup directories (e.g., C:\Backup\, /mnt/backups/) or the job is identified by a known backup process.
Scenario: Development Environment with Test Malware Files
Description: Developers in a test