Azure Automation Runbook Created or Modified
An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment, detected through Azure activity logs.
This detection identifies the creation or modification of Azure Automation runbooks, a technique that adversaries can use to execute malicious code within an Azure environment and establish persistence. Azure Automation runbooks are scripts that automate tasks in cloud environments. The activity is detected by monitoring Azure activity logs for specific operations related to runbook creation or modification. While legitimate updates and maintenance may trigger this detection, unauthorized changes to runbooks can introduce backdoors or malicious functionality. The detection focuses on "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE", "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE", or "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION" operations. This activity is a part of exploiting cloud resources for unauthorized purposes.
Attack Chain
- Adversary gains initial access to an Azure account with sufficient privileges to manage Automation Accounts.
- The adversary navigates to the Azure Automation service.
- The adversary creates a new runbook or modifies an existing one.
- The runbook is populated with malicious code, such as PowerShell scripts designed to create a backdoor or exfiltrate data.
- The adversary publishes the runbook, making it active within the Azure environment.
- The runbook is scheduled to execute automatically or triggered manually.
- The malicious code within the runbook executes, performing unauthorized actions such as data exfiltration or resource manipulation.
- The adversary maintains persistence by ensuring the runbook continues to execute on a schedule.
Impact
A successful attack can lead to unauthorized access to sensitive data, resource hijacking, and persistent backdoors within the Azure environment. The impact ranges from data breaches and service disruption to long-term control of the compromised Azure resources. Even though rated low severity, successful exploitation leads to further malicious actions within the cloud environment, potentially impacting multiple services and data stores.
Recommendation
- Deploy the Sigma rule
Azure Automation Runbook Creation or Modificationto your SIEM and tune for your environment to detect suspicious activity (rule). - Review Azure activity logs for the
MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE,MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE, andMICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTIONoperations to identify potential unauthorized changes (logs). - Implement strict access controls and multi-factor authentication for Azure accounts with permissions to manage Automation Accounts (best practice).
- Regularly audit and review the content of Azure Automation runbooks to identify any unauthorized or suspicious code (best practice).
- Consider enabling logging of runbook execution to gain deeper visibility into their activity (best practice).
Detection coverage 2
Azure Automation Runbook Creation or Modification
lowDetects when an Azure Automation runbook is created or modified, potentially indicating malicious activity.
Suspicious Azure Automation Account Activity
highDetects potential malicious use of Azure Automation accounts based on unusual activity patterns
Detection queries are available on the platform. Get full rules →