{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/runbook/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Automation"],"_cs_severities":["low"],"_cs_tags":["azure","automation","runbook","execution","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies the creation or modification of Azure Automation runbooks, a technique that adversaries can use to execute malicious code within an Azure environment and establish persistence. Azure Automation runbooks are scripts that automate tasks in cloud environments. The activity is detected by monitoring Azure activity logs for specific operations related to runbook creation or modification. While legitimate updates and maintenance may trigger this detection, unauthorized changes to runbooks can introduce backdoors or malicious functionality. The detection focuses on \u0026quot;MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE\u0026quot;, \u0026quot;MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE\u0026quot;, or \u0026quot;MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION\u0026quot; operations. This activity is a part of exploiting cloud resources for unauthorized purposes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAdversary gains initial access to an Azure account with sufficient privileges to manage Automation Accounts.\u003c/li\u003e\n\u003cli\u003eThe adversary navigates to the Azure Automation service.\u003c/li\u003e\n\u003cli\u003eThe adversary creates a new runbook or modifies an existing one.\u003c/li\u003e\n\u003cli\u003eThe runbook is populated with malicious code, such as PowerShell scripts designed to create a backdoor or exfiltrate data.\u003c/li\u003e\n\u003cli\u003eThe adversary publishes the runbook, making it active within the Azure environment.\u003c/li\u003e\n\u003cli\u003eThe runbook is scheduled to execute automatically or triggered manually.\u003c/li\u003e\n\u003cli\u003eThe malicious code within the runbook executes, performing unauthorized actions such as data exfiltration or resource manipulation.\u003c/li\u003e\n\u003cli\u003eThe adversary maintains persistence by ensuring the runbook continues to execute on a schedule.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive data, resource hijacking, and persistent backdoors within the Azure environment. The impact ranges from data breaches and service disruption to long-term control of the compromised Azure resources. Even though rated low severity, successful exploitation leads to further malicious actions within the cloud environment, potentially impacting multiple services and data stores.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAzure Automation Runbook Creation or Modification\u003c/code\u003e to your SIEM and tune for your environment to detect suspicious activity (rule).\u003c/li\u003e\n\u003cli\u003eReview Azure activity logs for the \u003ccode\u003eMICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE\u003c/code\u003e, \u003ccode\u003eMICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE\u003c/code\u003e, and \u003ccode\u003eMICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION\u003c/code\u003e operations to identify potential unauthorized changes (logs).\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and multi-factor authentication for Azure accounts with permissions to manage Automation Accounts (best practice).\u003c/li\u003e\n\u003cli\u003eRegularly audit and review the content of Azure Automation runbooks to identify any unauthorized or suspicious code (best practice).\u003c/li\u003e\n\u003cli\u003eConsider enabling logging of runbook execution to gain deeper visibility into their activity (best practice).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-25T12:00:00Z","date_published":"2024-01-25T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-azure-automation-runbook-modification/","summary":"An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment, detected through Azure activity logs.","title":"Azure Automation Runbook Created or Modified","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-automation-runbook-modification/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Automation"],"_cs_severities":["high"],"_cs_tags":["azure","runbook","webhook","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert focuses on the creation of new Azure Automation Runbook Webhooks within an Azure tenant. Attackers can exploit these webhooks, which trigger Automation Runbooks through unauthenticated URLs, to execute malicious code, create unauthorized user accounts, or establish persistence within the Azure environment. This activity is detected using Azure Audit events, specifically monitoring for the \u0026quot;Microsoft.Automation/automationAccounts/webhooks/write\u0026quot; operation. This is especially critical as successful exploitation can lead to full control over the Azure resources. Defenders should prioritize monitoring for unexpected or unauthorized webhook creation activities. This detection originated from Splunk's ES-CU detections as of April 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to an Azure account, possibly through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Azure Automation service within the Azure portal.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to create a new Automation Account if one doesn't exist, or uses an existing one.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new Runbook designed to execute malicious tasks. This could include adding a new user account with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a webhook associated with the malicious Runbook. This generates an unauthenticated URL.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the webhook to trigger the Runbook upon accessing the unauthenticated URL.\u003c/li\u003e\n\u003cli\u003eThe attacker tests the webhook URL to ensure the Runbook executes as intended.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the webhook URL to execute malicious actions within the Azure environment, such as creating new high privileged accounts or modifying existing infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to gain unauthorized access and control over Azure resources. This can result in data breaches, service disruptions, and further compromise of the environment. If not detected promptly, this can lead to significant financial and reputational damage. This issue impacts any organization using Azure Automation and exposes all data and resources managed within the impacted Azure tenant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAzure Runbook Webhook Created\u003c/code\u003e to your SIEM and tune for your environment to detect the creation of malicious webhooks.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of Azure Runbook Webhook creation, focusing on the user (\u003ccode\u003euser\u003c/code\u003e) and source IP (\u003ccode\u003esrc_ip\u003c/code\u003e) involved.\u003c/li\u003e\n\u003cli\u003eReview Azure Activity logs for the \u0026quot;Microsoft.Automation/automationAccounts/webhooks/write\u0026quot; operation.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious connections to newly created webhook URLs (related to the created \u003ccode\u003eobject\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies and multi-factor authentication for all Azure accounts to prevent initial compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-azure-runbook-webhook-created/","summary":"Detection of a new Azure Automation Runbook Webhook creation, potentially leading to unauthorized access and control over Azure resources by enabling unauthenticated URL triggers.","title":"Azure Runbook Webhook Creation Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-03-azure-runbook-webhook-created/"}],"language":"en","title":"CraftedSignal Threat Feed - Runbook","version":"https://jsonfeed.org/version/1.1"}