AZT602.1 - Steal Service Principal Certificate: Automation Account RunAs Account#

If a Runbook is utilizing a 'RunAs' account, then an adversary may manipulate the Runbook to reveal the certificate the Service Principal is using for authentication.

Resource

Automation Account

Actions

Microsoft.Automation/automationAccounts/runbooks/*

Examples

Az PowerShellAzure CLIAzure REST APIAzure Portal

az automation runbook

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Automation/automationAccounts/{automationAccountName}/runbooks/{runbookName}?api-version=2019-06-01

runbook

Detections

Logs#

Data Source	Operation Name	Action	Log Provider
Resource	Create an Azure Automation job	Microsoft.Automation/automationAccounts/jobs/write	AzureActivity
Resource	Publish an Azure Automation runbook draft	Microsoft.Automation/automationAccounts/runbooks/publish/action	AzureActivity
Resource	Write an Azure Automation runbook draft	Microsoft.Automation/automationAccounts/runbooks/draft/write	AzureActivity
Resource	Create or Update an Azure Automation Runbook	Microsoft.Automation/automationAccounts/runbooks/write	AzureActivity

Queries#

Platform	Query
Log Analytics	`AzureDiagnostics \| where ResourceProvider == 'MICROSOFT.AUTOMATION' and ResultDescription has 'Thumbprint'`

Azure Monitor Alert#

Additional Resources

https://docs.microsoft.com/en-us/azure/automation/automation-runbook-execution