Azure Automation Webhook Created for Persistence
Adversaries may create Azure Automation webhooks to trigger malicious runbooks for persistence in cloud environments.
This alert identifies the creation of Azure Automation webhooks, which adversaries may abuse to establish persistence within cloud environments. Azure Automation allows users to define and execute runbooks, which are scripts that automate tasks. Webhooks provide a mechanism to trigger these runbooks via HTTP requests. An attacker can create a webhook associated with a malicious runbook, allowing them to execute arbitrary code within the Azure environment whenever the webhook URL is accessed. This poses a significant risk, as it allows attackers to maintain a persistent foothold and potentially escalate their privileges. The detection rule focuses on identifying specific operation names within Azure activity logs related to webhook creation.
Attack Chain
- An attacker gains initial access to an Azure account, possibly through compromised credentials or exploiting a vulnerability.
- The attacker navigates to the Azure Automation service within the compromised account.
- The attacker creates a new runbook or modifies an existing one to include malicious code (e.g., PowerShell script to create a new user, exfiltrate data, or deploy malware).
- The attacker creates a new webhook associated with the malicious runbook. The webhook is configured to be triggered by an HTTP request to a unique URL.
- The attacker obtains the webhook URL.
- The attacker triggers the webhook by sending an HTTP request to the URL, either manually or through an automated process.
- The Azure Automation service executes the runbook associated with the webhook.
- The malicious code within the runbook executes, achieving the attacker's objective (e.g., persistence, privilege escalation, data exfiltration).
Impact
Successful exploitation allows attackers to establish a persistent presence within the Azure environment. This can lead to unauthorized access to sensitive data, deployment of malware, or further compromise of other resources within the cloud infrastructure. While the risk score is low, the long-term impact of persistence can be severe, potentially affecting hundreds or thousands of resources depending on the scope of the compromised Azure account.
Recommendation
- Deploy the Sigma rule "Azure Automation Webhook Created" to your SIEM and tune for your environment (rule below).
- Review Azure activity logs for unusual webhook creation events, focusing on the
azure.activitylogs.operation_namefield as indicated in the rule (rule below). - Implement enhanced monitoring and alerting for webhook creation and execution activities to detect similar threats in the future as described in the Overview section.
- Enforce multi-factor authentication (MFA) for all accounts with access to Azure Automation as mentioned in the Response and Remediation section.
Detection coverage 2
Azure Automation Webhook Created
lowDetects the creation of Azure Automation webhooks, which can be used for persistence.
Azure Automation Webhook Action Detected
lowDetects an action on Azure Automation webhooks, such as creation or modification.
Detection queries are available on the platform. Get full rules →