Skip to content
Threat Feed
high advisory

Azure Automation Account Creation

Detect the creation of new Azure Automation accounts, which can be used by attackers for persistence, privilege escalation, and malicious runbook execution within Azure environments.

This brief focuses on detecting the creation of new Azure Automation accounts, a technique used by attackers to establish persistence and execute malicious actions within Azure environments. Azure Automation allows users to automate tasks across Azure and on-premise systems via runbooks. An attacker creating a rogue Automation account with elevated privileges can maintain a foothold in the environment, execute malicious scripts, and potentially gain control over virtual machines and other resources. This detection leverages Azure Audit events (Azure Activity log) to identify such suspicious account creation activity. The risk is significant due to the potential for broad impact and the difficulty in tracing actions back to the attacker-controlled Automation account. The provided Splunk analytic was last updated in version 13 on April 15, 2026.

Attack Chain

  1. The attacker gains initial access to the Azure environment, potentially through compromised credentials or a vulnerability in a web application.
  2. The attacker attempts to create a new Azure Automation account using stolen credentials or through a compromised service principal.
  3. An Azure Audit event is generated with operationName.value="Microsoft.Automation/automationAccounts/write" and status.value=Succeeded, indicating the successful creation of the account.
  4. The attacker configures the Automation account, assigning it elevated privileges, such as Contributor or Owner roles.
  5. The attacker creates or imports malicious runbooks into the Automation account. These runbooks can contain PowerShell or Python scripts designed to execute malicious tasks.
  6. The attacker leverages the Hybrid Runbook Worker feature to execute runbooks on Azure VMs or on-premise servers, allowing them to move laterally within the environment.
  7. The runbooks execute malicious code, potentially installing backdoors, stealing credentials, or exfiltrating sensitive data.
  8. The attacker maintains persistence by scheduling runbooks to execute regularly, ensuring continued access to the environment.

Impact

Successful exploitation can lead to significant damage, including data breaches, system compromise, and financial loss. Attackers can leverage Automation accounts to maintain persistence even after initial compromises are remediated. The scope of impact depends on the privileges assigned to the Automation account, but could potentially affect the entire Azure subscription and connected on-premise resources. This could lead to ransomware deployment, sensitive data exfiltration, or long-term espionage.

Recommendation

  • Deploy the provided Sigma rule to your SIEM and tune for your environment to detect the creation of Azure Automation accounts.
  • Investigate any detected Automation account creation events, focusing on accounts created by unfamiliar users or service principals.
  • Monitor Azure Audit logs for suspicious activity associated with newly created Automation accounts, such as runbook creation and execution.
  • Implement multi-factor authentication (MFA) for all Azure users to reduce the risk of credential compromise.
  • Review and restrict the permissions assigned to Azure Automation accounts, following the principle of least privilege.
  • Use Azure Policy to enforce restrictions on Automation account creation and configuration.

Detection coverage 2

Azure Automation Account Created

high

Detects the creation of a new Azure Automation account in Azure Audit logs.

sigma tactics: persistence techniques: T1136.003 sources: cloudtrail, azure, activitylogs

Suspicious Azure Automation Runbook Creation

medium

Detects the creation of an Azure Automation runbook shortly after the Automation Account creation

sigma tactics: execution, persistence sources: cloudtrail, azure, activitylogs

Detection queries are available on the platform. Get full rules →