Skip to content

AZT605.2 - Resource Secret Reveal: Automation Account Credential Secret Dump#

By editing a Runbook, a credential configured in an Automation Account may be revealed

Resource

Automation Account

Actions

  • Microsoft.Automation/automationAccounts/runbooks/*

Detections

Logs#

Data Source Operation Name Action Log Provider
Resource Create an Azure Automation job Microsoft.Automation/automationAccounts/jobs/write AzureActivity
Resource Publish an Azure Automation runbook draft Microsoft.Automation/automationAccounts/runbooks/publish/action AzureActivity
Resource Write an Azure Automation runbook draft Microsoft.Automation/automationAccounts/runbooks/draft/write AzureActivity
Resource Create or Update an Azure Automation Runbook Microsoft.Automation/automationAccounts/runbooks/write AzureActivity

Queries#

Platform Query
Log Analytics AzureActivity |where OperationNameValue=='Microsoft.Automation/automationAccounts/jobs/write' or OperationNameValue=='Microsoft.Automation/automationAccounts/runbooks/publish/action' or OperationNameValue=='Microsoft.Automation/automationAccounts/runbooks/draft/write' or OperationNameValue=='Microsoft.Automation/automationAccounts/runbooks/write'

Azure Monitor Alert#

Deploy to Azure