Product
Azure Automation Runbook Created or Modified
2 rules 2 TTPsAn adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment, detected through Azure activity logs.
Azure Automation Runbook Deleted
2 rules 2 TTPsDetection of Azure Automation runbook deletion, potentially indicating defense evasion or disruption of automated business processes by an adversary removing malicious or critical runbooks.
Suspicious Azure Automation Account Creation
2 rules 2 TTPsAn adversary may create an Azure Automation account to maintain persistence in the target environment by automating malicious tasks.
Azure Runbook Webhook Creation Detected
2 rules 1 TTPDetection of a new Azure Automation Runbook Webhook creation, potentially leading to unauthorized access and control over Azure resources by enabling unauthenticated URL triggers.
Azure Automation Runbook Creation for Persistence
2 rules 1 TTPThis analytic detects the creation of a new Azure Automation Runbook within an Azure tenant using Azure Audit events, which adversaries with privileged access can abuse to maintain persistence, escalate privileges, or execute malicious code, potentially leading to unauthorized actions and compromise of the Azure environment.
Azure Automation Account Creation
2 rules 1 TTPDetect the creation of new Azure Automation accounts, which can be used by attackers for persistence, privilege escalation, and malicious runbook execution within Azure environments.
Azure Automation Webhook Created for Persistence
2 rules 2 TTPsAdversaries may create Azure Automation webhooks to trigger malicious runbooks for persistence in cloud environments.