AZT601.4 - Steal Managed Identity JsonWebToken: Automation Account Runbook#
If an Automation Account is using a Managed Identity, an adversary can create a Runbook to request the Managed Identity's JWT.
Resource
Automation Account
Actions
- Microsoft.Automation/automationAccounts/runbooks/write
Examples
Detections
Logs#
| Data Source | Operation Name | Action | Log Provider |
|---|---|---|---|
| Resource | Create an Azure Automation job | Microsoft.Automation/automationAccounts/jobs/write | AzureActivity |
| Resource | Publish an Azure Automation runbook draft | Microsoft.Automation/automationAccounts/runbooks/publish/action | AzureActivity |
| Resource | Write an Azure Automation runbook draft | Microsoft.Automation/automationAccounts/runbooks/draft/write | AzureActivity |
| Resource | Create or Update an Azure Automation Runbook | Microsoft.Automation/automationAccounts/runbooks/write | AzureActivity |
Queries#
| Platform | Query |
|---|---|
| Log Analytics | AzureDiagnostics | where ResourceProvider == 'MICROSOFT.AUTOMATION' and ResultDescription has 'access_token' |