AZT605.2 - Resource Secret Reveal: Automation Account Credential Secret Dump

By editing a Runbook, a credential configured in an Automation Account may be revealed

Resource

Automation Account

Actions

• Microsoft.Automation/automationAccounts/runbooks/*

Examples

Az PowerShellAzure CLIAzure REST APIAzure Portal

• New-AzAutomationRunbook
• Set-AzAutomationRunbook

az automation runbook

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Automation/automationAccounts/{automationAccountName}/runbooks/{runbookName}?api-version=2019-06-01

Detections

Logs

Data Source	Operation Name	Action	Log Provider
Resource	Create an Azure Automation job	Microsoft.Automation/automationAccounts/jobs/write	AzureActivity
Resource	Publish an Azure Automation runbook draft	Microsoft.Automation/automationAccounts/runbooks/publish/action	AzureActivity
Resource	Write an Azure Automation runbook draft	Microsoft.Automation/automationAccounts/runbooks/draft/write	AzureActivity
Resource	Create or Update an Azure Automation Runbook	Microsoft.Automation/automationAccounts/runbooks/write	AzureActivity

Queries

Platform	Query
Log Analytics	AzureActivity |where OperationNameValue=='Microsoft.Automation/automationAccounts/jobs/write' or OperationNameValue=='Microsoft.Automation/automationAccounts/runbooks/publish/action' or OperationNameValue=='Microsoft.Automation/automationAccounts/runbooks/draft/write' or OperationNameValue=='Microsoft.Automation/automationAccounts/runbooks/write'

Azure Monitor Alert

Additional Resources

https://learn.microsoft.com/en-us/azure/automation/shared-resources/credentials?tabs=azure-powershell#create-a-new-credential-asset-with-the-azure-portal