<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Runbook - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/runbook/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 25 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/runbook/feed.xml" rel="self" type="application/rss+xml"/><item><title>Azure Automation Runbook Created or Modified</title><link>https://feed.craftedsignal.io/briefs/2024-01-azure-automation-runbook-modification/</link><pubDate>Thu, 25 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-azure-automation-runbook-modification/</guid><description>An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment, detected through Azure activity logs.</description><content:encoded><![CDATA[<p>This detection identifies the creation or modification of Azure Automation runbooks, a technique that adversaries can use to execute malicious code within an Azure environment and establish persistence. Azure Automation runbooks are scripts that automate tasks in cloud environments. The activity is detected by monitoring Azure activity logs for specific operations related to runbook creation or modification. While legitimate updates and maintenance may trigger this detection, unauthorized changes to runbooks can introduce backdoors or malicious functionality. The detection focuses on &quot;MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE&quot;, &quot;MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE&quot;, or &quot;MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION&quot; operations. This activity is a part of exploiting cloud resources for unauthorized purposes.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Adversary gains initial access to an Azure account with sufficient privileges to manage Automation Accounts.</li>
<li>The adversary navigates to the Azure Automation service.</li>
<li>The adversary creates a new runbook or modifies an existing one.</li>
<li>The runbook is populated with malicious code, such as PowerShell scripts designed to create a backdoor or exfiltrate data.</li>
<li>The adversary publishes the runbook, making it active within the Azure environment.</li>
<li>The runbook is scheduled to execute automatically or triggered manually.</li>
<li>The malicious code within the runbook executes, performing unauthorized actions such as data exfiltration or resource manipulation.</li>
<li>The adversary maintains persistence by ensuring the runbook continues to execute on a schedule.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack can lead to unauthorized access to sensitive data, resource hijacking, and persistent backdoors within the Azure environment. The impact ranges from data breaches and service disruption to long-term control of the compromised Azure resources. Even though rated low severity, successful exploitation leads to further malicious actions within the cloud environment, potentially impacting multiple services and data stores.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Azure Automation Runbook Creation or Modification</code> to your SIEM and tune for your environment to detect suspicious activity (rule).</li>
<li>Review Azure activity logs for the <code>MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE</code>, <code>MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE</code>, and <code>MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION</code> operations to identify potential unauthorized changes (logs).</li>
<li>Implement strict access controls and multi-factor authentication for Azure accounts with permissions to manage Automation Accounts (best practice).</li>
<li>Regularly audit and review the content of Azure Automation runbooks to identify any unauthorized or suspicious code (best practice).</li>
<li>Consider enabling logging of runbook execution to gain deeper visibility into their activity (best practice).</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>azure</category><category>automation</category><category>runbook</category><category>execution</category><category>persistence</category></item><item><title>Azure Runbook Webhook Creation Detected</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-azure-runbook-webhook-created/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-azure-runbook-webhook-created/</guid><description>Detection of a new Azure Automation Runbook Webhook creation, potentially leading to unauthorized access and control over Azure resources by enabling unauthenticated URL triggers.</description><content:encoded><![CDATA[<p>This alert focuses on the creation of new Azure Automation Runbook Webhooks within an Azure tenant. Attackers can exploit these webhooks, which trigger Automation Runbooks through unauthenticated URLs, to execute malicious code, create unauthorized user accounts, or establish persistence within the Azure environment. This activity is detected using Azure Audit events, specifically monitoring for the &quot;Microsoft.Automation/automationAccounts/webhooks/write&quot; operation. This is especially critical as successful exploitation can lead to full control over the Azure resources. Defenders should prioritize monitoring for unexpected or unauthorized webhook creation activities. This detection originated from Splunk's ES-CU detections as of April 2026.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to an Azure account, possibly through compromised credentials or exploiting a vulnerability.</li>
<li>The attacker navigates to the Azure Automation service within the Azure portal.</li>
<li>The attacker attempts to create a new Automation Account if one doesn't exist, or uses an existing one.</li>
<li>The attacker creates a new Runbook designed to execute malicious tasks. This could include adding a new user account with elevated privileges.</li>
<li>The attacker creates a webhook associated with the malicious Runbook. This generates an unauthenticated URL.</li>
<li>The attacker configures the webhook to trigger the Runbook upon accessing the unauthenticated URL.</li>
<li>The attacker tests the webhook URL to ensure the Runbook executes as intended.</li>
<li>The attacker leverages the webhook URL to execute malicious actions within the Azure environment, such as creating new high privileged accounts or modifying existing infrastructure.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to gain unauthorized access and control over Azure resources. This can result in data breaches, service disruptions, and further compromise of the environment. If not detected promptly, this can lead to significant financial and reputational damage. This issue impacts any organization using Azure Automation and exposes all data and resources managed within the impacted Azure tenant.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Azure Runbook Webhook Created</code> to your SIEM and tune for your environment to detect the creation of malicious webhooks.</li>
<li>Investigate any detected instances of Azure Runbook Webhook creation, focusing on the user (<code>user</code>) and source IP (<code>src_ip</code>) involved.</li>
<li>Review Azure Activity logs for the &quot;Microsoft.Automation/automationAccounts/webhooks/write&quot; operation.</li>
<li>Monitor network traffic for suspicious connections to newly created webhook URLs (related to the created <code>object</code>).</li>
<li>Implement strict access control policies and multi-factor authentication for all Azure accounts to prevent initial compromise.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>azure</category><category>runbook</category><category>webhook</category><category>persistence</category></item></channel></rss>