← Back to SOC feed Coverage →

Cloud Hopper

kql MEDIUM Azure-Sentinel
DeviceProcessEvents
apthuntingmicrosoftofficial
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-04-25T09:00:00Z · Confidence: medium

Hunt Hypothesis

Adversaries may use long-term, low-privilege access to maintain persistence within cloud environments, leveraging compromised credentials to move laterally and exfiltrate data over extended periods. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term data exfiltration and lateral movement by advanced persistent threats.

KQL Query

DeviceProcessEvents 
| where Timestamp > ago(7d)
| where FileName =~ @"cscript.exe" and ProcessCommandLine has ".vbs /shell "
| top 100 by Timestamp desc

Analytic Rule Definition

id: 8c54c0f3-fbd4-426b-8f58-363efbdc09fa
name: Cloud Hopper
description: |
  Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_cloudhopper.yml.
  Questions via Twitter: @janvonkirchheim.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
query: |
  DeviceProcessEvents 
  | where Timestamp > ago(7d)
  | where FileName =~ @"cscript.exe" and ProcessCommandLine has ".vbs /shell "
  | top 100 by Timestamp desc

Required Data Sources

Sentinel TableNotes
DeviceProcessEventsEnsure this data connector is enabled

References

False Positive Guidance

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Cloud Hopper.yaml