Adversaries may attempt to execute remote commands on Azure Infrastructure Resources using Managed VNet or SHIR to move laterally or exfiltrate data. SOC teams should proactively hunt for this behavior to detect and mitigate potential compromise of Azure environments.
KQL Query
let mde_threats = dynamic(["Behavior:Win32/SuspAzureRequest.A", "Behavior:Win32/SuspAzureRequest.B", "Behavior:Win32/SuspAzureRequest.C", "Behavior:Win32/LaunchingSuspCMD.B"]);
DeviceInfo
| extend DeviceName = tolower(DeviceName)
| join kind=inner ( SecurityAlert
| where ProviderName == "MDATP"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)
| where ThreatName in~ (mde_threats) or ThreatFamilyName in~ (mde_threats)
| extend CompromisedEntity = tolower(CompromisedEntity)
) on $left.DeviceName == $right.CompromisedEntity
| summarize by bin(TimeGenerated, 1d), DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId, CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities
| extend HostName = tostring(split(CompromisedEntity, ".")[0]), DomainIndex = toint(indexof(CompromisedEntity, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)
| project-away DomainIndex
id: a333d8bf-22a3-4c55-a1e9-5f0a135c0253
name: Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory
description: |
'This query looks for Microsoft Defender for Endpoint detections related to the remote command execution attempts on Azure IR with Managed VNet or SHIR.
In Microsoft Sentinel, the SecurityAlerts table includes the name of the impacted device. Additionally, this query joins the DeviceInfo table to connect other information such as device group, IP address, signed in users, and others allowing analysts using Microsoft Sentinel to have more context related to the alert.
Reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 ,
https://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972'
severity: High
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- SecurityAlert
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1190
tags:
- CVE-2022-29972
query: |
let mde_threats = dynamic(["Behavior:Win32/SuspAzureRequest.A", "Behavior:Win32/SuspAzureRequest.B", "Behavior:Win32/SuspAzureRequest.C", "Behavior:Win32/LaunchingSuspCMD.B"]);
DeviceInfo
| extend DeviceName = tolower(DeviceName)
| join kind=inner ( SecurityAlert
| where ProviderName == "MDATP"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)
| where ThreatName in~ (mde_threats) or ThreatFamilyName in~ (mde_threats)
| extend CompromisedEntity = tolower(CompromisedEntity)
) on $left.DeviceName == $right.CompromisedEntity
| summarize by bin(TimeGenerated, 1d), DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId, CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities
| extend HostName = tostring(split(CompromisedEntity, ".")[0]), DomainIndex = toint(indexof(CompromisedEntity, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)
| project-away DomainIndex
entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: CompromisedEntity
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: HostNameDomain
- entityType: IP
fieldMappings:
- identifier: Address
columnName: PublicIP
version: 1.0.6
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Microsoft Security Research
support:
tier: Community
categories:
domains: [ "Security - Threat Protection" ]| Sentinel Table | Notes |
|---|---|
SecurityAlert | Ensure this data connector is enabled |
Scenario: Scheduled Azure Data Factory Pipeline Execution
Description: A legitimate scheduled pipeline in Azure Data Factory is executed, which may trigger a remote command execution alert due to the use of PowerShell or command-line scripts.
Filter/Exclusion: Exclude alerts where the source is Azure Data Factory and the process_name is AzureDataFactory.exe or Microsoft.DataFactory related processes.
Scenario: Admin Task to Update Azure Synapse Integration Runtime
Description: An administrator is performing a routine update to the Azure Synapse Integration Runtime, which may involve executing scripts or commands that are flagged by MDE.
Filter/Exclusion: Exclude alerts where the user_principal_name is a known admin account (e.g., [email protected]) and the process_name is msiexec.exe or setup.exe related to Azure Synapse updates.
Scenario: PowerShell Script for Data Pipeline Monitoring
Description: A PowerShell script is used to monitor the status of Azure Data Factory pipelines, which may be flagged as a remote command execution attempt.
Filter/Exclusion: Exclude alerts where the process_name is powershell.exe and the script_name contains DataFactoryMonitor.ps1 or similar known monitoring scripts.
Scenario: Azure DevOps Pipeline Deploying Data Factory Assets
Description: A CI/CD pipeline in Azure DevOps is deploying new or updated data factory assets, which may involve executing scripts or command-line tools that trigger MDE alerts.
Filter/Exclusion: Exclude alerts where the user_principal_name is an Azure DevOps service account (e.g., [email protected]) and the process_name is AzurePipeline.exe or AzureDevOpsAgent.exe.
Scenario: System Maintenance Task for Azure VNet Configuration