{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/azure-automation/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Automation"],"_cs_severities":["low"],"_cs_tags":["azure","automation","runbook","execution","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies the creation or modification of Azure Automation runbooks, a technique that adversaries can use to execute malicious code within an Azure environment and establish persistence. Azure Automation runbooks are scripts that automate tasks in cloud environments. The activity is detected by monitoring Azure activity logs for specific operations related to runbook creation or modification. While legitimate updates and maintenance may trigger this detection, unauthorized changes to runbooks can introduce backdoors or malicious functionality. The detection focuses on \u0026quot;MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE\u0026quot;, \u0026quot;MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE\u0026quot;, or \u0026quot;MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION\u0026quot; operations. This activity is a part of exploiting cloud resources for unauthorized purposes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAdversary gains initial access to an Azure account with sufficient privileges to manage Automation Accounts.\u003c/li\u003e\n\u003cli\u003eThe adversary navigates to the Azure Automation service.\u003c/li\u003e\n\u003cli\u003eThe adversary creates a new runbook or modifies an existing one.\u003c/li\u003e\n\u003cli\u003eThe runbook is populated with malicious code, such as PowerShell scripts designed to create a backdoor or exfiltrate data.\u003c/li\u003e\n\u003cli\u003eThe adversary publishes the runbook, making it active within the Azure environment.\u003c/li\u003e\n\u003cli\u003eThe runbook is scheduled to execute automatically or triggered manually.\u003c/li\u003e\n\u003cli\u003eThe malicious code within the runbook executes, performing unauthorized actions such as data exfiltration or resource manipulation.\u003c/li\u003e\n\u003cli\u003eThe adversary maintains persistence by ensuring the runbook continues to execute on a schedule.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive data, resource hijacking, and persistent backdoors within the Azure environment. The impact ranges from data breaches and service disruption to long-term control of the compromised Azure resources. Even though rated low severity, successful exploitation leads to further malicious actions within the cloud environment, potentially impacting multiple services and data stores.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAzure Automation Runbook Creation or Modification\u003c/code\u003e to your SIEM and tune for your environment to detect suspicious activity (rule).\u003c/li\u003e\n\u003cli\u003eReview Azure activity logs for the \u003ccode\u003eMICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE\u003c/code\u003e, \u003ccode\u003eMICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE\u003c/code\u003e, and \u003ccode\u003eMICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION\u003c/code\u003e operations to identify potential unauthorized changes (logs).\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and multi-factor authentication for Azure accounts with permissions to manage Automation Accounts (best practice).\u003c/li\u003e\n\u003cli\u003eRegularly audit and review the content of Azure Automation runbooks to identify any unauthorized or suspicious code (best practice).\u003c/li\u003e\n\u003cli\u003eConsider enabling logging of runbook execution to gain deeper visibility into their activity (best practice).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-25T12:00:00Z","date_published":"2024-01-25T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-azure-automation-runbook-modification/","summary":"An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment, detected through Azure activity logs.","title":"Azure Automation Runbook Created or Modified","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-automation-runbook-modification/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Automation"],"_cs_severities":["low"],"_cs_tags":["cloud","azure","defense-evasion","impact"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies when an Azure Automation runbook is deleted. Azure Automation runbooks are used to automate repetitive tasks and manage cloud resources. An adversary may delete an Azure Automation runbook to disrupt normal automated business operations or to remove a malicious runbook they previously deployed, thus covering their tracks. The detection focuses on monitoring Azure activity logs for events indicating the successful deletion of runbooks. While often legitimate, unexpected or unauthorized runbook deletions warrant investigation, especially in sensitive environments. The rule is designed to work with data ingested through the Azure Fleet integration or Filebeat module, which provides the necessary Azure activity logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn adversary gains initial access to an Azure account, potentially through compromised credentials or exploiting a vulnerability in the Azure environment.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies Azure Automation accounts and their associated runbooks.\u003c/li\u003e\n\u003cli\u003eIf the attacker previously created a malicious runbook for persistence or other malicious purposes, they may delete it to evade detection.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker may delete legitimate runbooks to disrupt automated processes and cause operational impact.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the runbook deletion command, triggering an event logged in the Azure activity logs. The specific operation name is \u0026quot;MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE\u0026quot;.\u003c/li\u003e\n\u003cli\u003eThe Azure platform records the deletion event, including the user identity and timestamp of the action.\u003c/li\u003e\n\u003cli\u003eIf successful, the runbook is permanently removed from the automation account.\u003c/li\u003e\n\u003cli\u003eThe deletion leads to disruption of the automated tasks previously performed by the runbook, potentially impacting business operations or security measures.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of Azure Automation runbooks can lead to the disruption of critical automated tasks, affecting business operations and potentially causing financial or reputational damage. The severity depends on the importance of the deleted runbooks. If malicious runbooks are deleted, it serves as defense evasion, potentially delaying incident response.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to your SIEM to detect Azure Automation runbook deletions and tune it for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected runbook deletions, focusing on the user identity and context of the event (refer to the investigation steps in the rule description).\u003c/li\u003e\n\u003cli\u003eImplement stricter access controls and auditing for Azure Automation accounts to limit the ability to delete runbooks to authorized personnel.\u003c/li\u003e\n\u003cli\u003eConsider enabling versioning or backups of Azure Automation runbooks to facilitate restoration in case of accidental or malicious deletion.\u003c/li\u003e\n\u003cli\u003eMonitor user accounts for suspicious activity prior to the deletion event, such as privilege escalation or unusual access patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-11T12:00:00Z","date_published":"2024-01-11T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-11-azure-automation-runbook-deleted/","summary":"Detection of Azure Automation runbook deletion, potentially indicating defense evasion or disruption of automated business processes by an adversary removing malicious or critical runbooks.","title":"Azure Automation Runbook Deleted","url":"https://feed.craftedsignal.io/briefs/2024-01-11-azure-automation-runbook-deleted/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Automation"],"_cs_severities":["medium"],"_cs_tags":["azure","persistence","cloud"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAzure Automation accounts allow users to automate management tasks and orchestrate actions across systems. An attacker may create an Automation Account for persistence, defense evasion, or lateral movement. The primary technique involves creating a valid account (T1078) within the Azure environment and abusing it for malicious purposes. This activity can be difficult to detect because the creation of Automation Accounts is a legitimate administrative function. Defenders need to monitor these events and correlate them with other suspicious activities. This brief focuses on detecting the initial creation of such accounts, providing a starting point for deeper investigation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the Azure environment, possibly through compromised credentials or a misconfigured service principal.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Azure Resource Manager API.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the Azure CLI or PowerShell module to create a new Azure Automation account using the \u003ccode\u003eNew-AzAutomationAccount\u003c/code\u003e command or equivalent API call.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the Automation Account with necessary permissions, possibly granting it access to other resources within the environment.\u003c/li\u003e\n\u003cli\u003eThe attacker creates Runbooks within the Automation Account that contain malicious scripts designed to perform tasks such as data exfiltration, lateral movement, or privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe attacker schedules the Runbooks to execute automatically or triggers them manually as needed to maintain persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the Automation Account to maintain a foothold in the environment, bypassing traditional security controls and remaining undetected for extended periods.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised Automation Account to achieve their final objective, such as data theft, system compromise, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to long-term persistence within the Azure environment. This allows the attacker to maintain control even if other access methods are discovered and remediated. The attacker can use the Automation Account to execute malicious code, steal sensitive data, or disrupt critical services, leading to significant financial and reputational damage. This can affect organizations of any size that rely on Azure for their infrastructure and operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Azure Automation Account Created\u0026quot; to your SIEM and tune for your environment to detect account creations (rule.name).\u003c/li\u003e\n\u003cli\u003eInvestigate the user or service principal responsible for creating new Automation Accounts (references).\u003c/li\u003e\n\u003cli\u003eReview the permissions granted to newly created Automation Accounts to identify any excessive privileges (references).\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious activity originating from Automation Accounts, such as unauthorized access to resources or execution of unusual scripts (references).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Azure accounts, especially those with administrative privileges to prevent credential compromise (references).\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege to limit the impact of compromised accounts (references).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T16:00:00Z","date_published":"2024-01-04T16:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-04-azure-automation-account-creation/","summary":"An adversary may create an Azure Automation account to maintain persistence in the target environment by automating malicious tasks.","title":"Suspicious Azure Automation Account Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-04-azure-automation-account-creation/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Automation"],"_cs_severities":["high"],"_cs_tags":["azure","runbook","webhook","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert focuses on the creation of new Azure Automation Runbook Webhooks within an Azure tenant. Attackers can exploit these webhooks, which trigger Automation Runbooks through unauthenticated URLs, to execute malicious code, create unauthorized user accounts, or establish persistence within the Azure environment. This activity is detected using Azure Audit events, specifically monitoring for the \u0026quot;Microsoft.Automation/automationAccounts/webhooks/write\u0026quot; operation. This is especially critical as successful exploitation can lead to full control over the Azure resources. Defenders should prioritize monitoring for unexpected or unauthorized webhook creation activities. This detection originated from Splunk's ES-CU detections as of April 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to an Azure account, possibly through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Azure Automation service within the Azure portal.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to create a new Automation Account if one doesn't exist, or uses an existing one.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new Runbook designed to execute malicious tasks. This could include adding a new user account with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a webhook associated with the malicious Runbook. This generates an unauthenticated URL.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the webhook to trigger the Runbook upon accessing the unauthenticated URL.\u003c/li\u003e\n\u003cli\u003eThe attacker tests the webhook URL to ensure the Runbook executes as intended.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the webhook URL to execute malicious actions within the Azure environment, such as creating new high privileged accounts or modifying existing infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to gain unauthorized access and control over Azure resources. This can result in data breaches, service disruptions, and further compromise of the environment. If not detected promptly, this can lead to significant financial and reputational damage. This issue impacts any organization using Azure Automation and exposes all data and resources managed within the impacted Azure tenant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAzure Runbook Webhook Created\u003c/code\u003e to your SIEM and tune for your environment to detect the creation of malicious webhooks.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of Azure Runbook Webhook creation, focusing on the user (\u003ccode\u003euser\u003c/code\u003e) and source IP (\u003ccode\u003esrc_ip\u003c/code\u003e) involved.\u003c/li\u003e\n\u003cli\u003eReview Azure Activity logs for the \u0026quot;Microsoft.Automation/automationAccounts/webhooks/write\u0026quot; operation.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious connections to newly created webhook URLs (related to the created \u003ccode\u003eobject\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies and multi-factor authentication for all Azure accounts to prevent initial compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-azure-runbook-webhook-created/","summary":"Detection of a new Azure Automation Runbook Webhook creation, potentially leading to unauthorized access and control over Azure resources by enabling unauthenticated URL triggers.","title":"Azure Runbook Webhook Creation Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-03-azure-runbook-webhook-created/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Automation"],"_cs_severities":["high"],"_cs_tags":["azure","persistence","automation","cloud"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe creation of Azure Automation Runbooks can be a legitimate administrative task, but it also presents a significant security risk. Threat actors with sufficient privileges can create or modify runbooks to establish persistence, escalate privileges, or execute malicious code within the Azure environment. This activity, if malicious, can lead to significant damage, including the creation of rogue Global Administrators, unauthorized code execution on virtual machines, and ultimately, the compromise of the entire Azure infrastructure. This brief focuses on detecting the creation of these runbooks as a potential indicator of malicious activity and provides guidance on how to identify and respond to such events. The detection logic is based on Azure Audit events.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Azure tenant, possibly through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates their privileges to a level sufficient to create or modify Azure Automation Runbooks.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new Azure Automation Account if one does not already exist, or uses an existing one.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious Runbook containing code designed to perform unauthorized actions. This could involve PowerShell scripts or other supported languages.\u003c/li\u003e\n\u003cli\u003eThe attacker creates the malicious Azure Automation Runbook, triggering an Azure Audit event with \u003ccode\u003eoperationName.value=\u0026quot;Microsoft.Automation/automationAccounts/runbooks/write\u0026quot;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker schedules or manually executes the Runbook.\u003c/li\u003e\n\u003cli\u003eThe Runbook executes malicious code, potentially creating new user accounts with elevated privileges or deploying malware to virtual machines.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence by maintaining the Runbook for future unauthorized access or control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via malicious Azure Automation Runbook creation can lead to a complete compromise of the Azure environment. Attackers can create new administrative accounts, giving them persistent and unrestricted access. They can execute arbitrary code on virtual machines, potentially leading to data theft, ransomware deployment, or other destructive activities. The impact can range from data breaches and service disruptions to significant financial losses and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAzure Automation Runbook Created\u003c/code\u003e to your SIEM to detect suspicious runbook creation activity. Tune the rule based on your environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of Runbook creation, paying close attention to the user involved (\u003ccode\u003euser\u003c/code\u003e field) and the contents of the Runbook itself.\u003c/li\u003e\n\u003cli\u003eMonitor Azure Audit logs for unusual or unauthorized activity related to Automation Accounts and Runbooks.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges, to mitigate the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eReview and enforce the principle of least privilege, ensuring that users only have the necessary permissions to perform their tasks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-azure-automation-runbook-creation/","summary":"This analytic detects the creation of a new Azure Automation Runbook within an Azure tenant using Azure Audit events, which adversaries with privileged access can abuse to maintain persistence, escalate privileges, or execute malicious code, potentially leading to unauthorized actions and compromise of the Azure environment.","title":"Azure Automation Runbook Creation for Persistence","url":"https://feed.craftedsignal.io/briefs/2024-01-03-azure-automation-runbook-creation/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Automation"],"_cs_severities":["high"],"_cs_tags":["azure","automation","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis brief focuses on detecting the creation of new Azure Automation accounts, a technique used by attackers to establish persistence and execute malicious actions within Azure environments. Azure Automation allows users to automate tasks across Azure and on-premise systems via runbooks. An attacker creating a rogue Automation account with elevated privileges can maintain a foothold in the environment, execute malicious scripts, and potentially gain control over virtual machines and other resources. This detection leverages Azure Audit events (Azure Activity log) to identify such suspicious account creation activity. The risk is significant due to the potential for broad impact and the difficulty in tracing actions back to the attacker-controlled Automation account. The provided Splunk analytic was last updated in version 13 on April 15, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the Azure environment, potentially through compromised credentials or a vulnerability in a web application.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to create a new Azure Automation account using stolen credentials or through a compromised service principal.\u003c/li\u003e\n\u003cli\u003eAn Azure Audit event is generated with \u003ccode\u003eoperationName.value=\u0026quot;Microsoft.Automation/automationAccounts/write\u0026quot;\u003c/code\u003e and \u003ccode\u003estatus.value=Succeeded\u003c/code\u003e, indicating the successful creation of the account.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the Automation account, assigning it elevated privileges, such as Contributor or Owner roles.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or imports malicious runbooks into the Automation account. These runbooks can contain PowerShell or Python scripts designed to execute malicious tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the Hybrid Runbook Worker feature to execute runbooks on Azure VMs or on-premise servers, allowing them to move laterally within the environment.\u003c/li\u003e\n\u003cli\u003eThe runbooks execute malicious code, potentially installing backdoors, stealing credentials, or exfiltrating sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by scheduling runbooks to execute regularly, ensuring continued access to the environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to significant damage, including data breaches, system compromise, and financial loss. Attackers can leverage Automation accounts to maintain persistence even after initial compromises are remediated. The scope of impact depends on the privileges assigned to the Automation account, but could potentially affect the entire Azure subscription and connected on-premise resources. This could lead to ransomware deployment, sensitive data exfiltration, or long-term espionage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune for your environment to detect the creation of Azure Automation accounts.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected Automation account creation events, focusing on accounts created by unfamiliar users or service principals.\u003c/li\u003e\n\u003cli\u003eMonitor Azure Audit logs for suspicious activity associated with newly created Automation accounts, such as runbook creation and execution.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Azure users to reduce the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eReview and restrict the permissions assigned to Azure Automation accounts, following the principle of least privilege.\u003c/li\u003e\n\u003cli\u003eUse Azure Policy to enforce restrictions on Automation account creation and configuration.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-azure-automation-account-creation/","summary":"Detect the creation of new Azure Automation accounts, which can be used by attackers for persistence, privilege escalation, and malicious runbook execution within Azure environments.","title":"Azure Automation Account Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-automation-account-creation/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Automation"],"_cs_severities":["low"],"_cs_tags":["azure","persistence","cloud"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert identifies the creation of Azure Automation webhooks, which adversaries may abuse to establish persistence within cloud environments. Azure Automation allows users to define and execute runbooks, which are scripts that automate tasks. Webhooks provide a mechanism to trigger these runbooks via HTTP requests. An attacker can create a webhook associated with a malicious runbook, allowing them to execute arbitrary code within the Azure environment whenever the webhook URL is accessed. This poses a significant risk, as it allows attackers to maintain a persistent foothold and potentially escalate their privileges. The detection rule focuses on identifying specific operation names within Azure activity logs related to webhook creation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Azure account, possibly through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Azure Automation service within the compromised account.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new runbook or modifies an existing one to include malicious code (e.g., PowerShell script to create a new user, exfiltrate data, or deploy malware).\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new webhook associated with the malicious runbook. The webhook is configured to be triggered by an HTTP request to a unique URL.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains the webhook URL.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the webhook by sending an HTTP request to the URL, either manually or through an automated process.\u003c/li\u003e\n\u003cli\u003eThe Azure Automation service executes the runbook associated with the webhook.\u003c/li\u003e\n\u003cli\u003eThe malicious code within the runbook executes, achieving the attacker's objective (e.g., persistence, privilege escalation, data exfiltration).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to establish a persistent presence within the Azure environment. This can lead to unauthorized access to sensitive data, deployment of malware, or further compromise of other resources within the cloud infrastructure. While the risk score is low, the long-term impact of persistence can be severe, potentially affecting hundreds or thousands of resources depending on the scope of the compromised Azure account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Azure Automation Webhook Created\u0026quot; to your SIEM and tune for your environment (rule below).\u003c/li\u003e\n\u003cli\u003eReview Azure activity logs for unusual webhook creation events, focusing on the \u003ccode\u003eazure.activitylogs.operation_name\u003c/code\u003e field as indicated in the rule (rule below).\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and alerting for webhook creation and execution activities to detect similar threats in the future as described in the Overview section.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) for all accounts with access to Azure Automation as mentioned in the Response and Remediation section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-azure-automation-webhook-created/","summary":"Adversaries may create Azure Automation webhooks to trigger malicious runbooks for persistence in cloud environments.","title":"Azure Automation Webhook Created for Persistence","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-automation-webhook-created/"}],"language":"en","title":"CraftedSignal Threat Feed - Azure Automation","version":"https://jsonfeed.org/version/1.1"}