Adversaries may execute stolen image files to deploy malicious payloads, leveraging compromised credentials or misconfigured storage to gain initial access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or persistence tactics early.
KQL Query
DeviceProcessEvents
| where FileName =~ "wscript.exe" and ProcessCommandLine has_all("stolen", "images")
id: 0e959fe8-f086-4497-b538-60fb0b5d8e37
name: Stolen Images Execution
description: |
The "Stolen Images" Bazarloader campaign uses fake copyright infingement contact form emails and malicious files pretending to contain "stolen images" to trick users into downloading the malware.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
query: |
DeviceProcessEvents
| where FileName =~ "wscript.exe" and ProcessCommandLine has_all("stolen", "images")
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled Image Processing Job
Description: A legitimate scheduled job runs a script that uses tools like ImageMagick or GD Library to process and resize images as part of a content management system (e.g., WordPress, Drupal).
Filter/Exclusion: Check for known image processing tools and exclude processes initiated by a scheduled task with a known job name (e.g., ImageResizeJob.exe).
Scenario: Admin Task for User Profile Picture Upload
Description: An administrator uploads user profile pictures using a tool like PowerShell or a GUI tool like Active Directory Users and Computers, which may trigger image execution.
Filter/Exclusion: Exclude processes initiated by admin accounts during known user management tasks (e.g., UserManagementTask.exe or ADUC.exe).
Scenario: Internal Image Verification Tool
Description: A security tool like ClamAV or Sophos runs an internal image verification scan, which may involve temporary execution of image files as part of its analysis.
Filter/Exclusion: Exclude processes associated with known security tools and filter by file extensions (e.g., .jpg, .png) that are known to be handled by these tools.
Scenario: Automated Report Generation with Embedded Images
Description: A reporting tool like Crystal Reports or Tableau generates reports with embedded images, which may be temporarily executed during rendering.
Filter/Exclusion: Exclude processes related to reporting tools and filter by file paths that match known report generation directories (e.g., C:\Reports\).
Scenario: Backup and Restore of Image Files
Description: A backup tool like Veeam or Commvault restores image files, which may trigger execution due to file system changes or script-based restoration.
*Filter/Ex