Skip to content

AZT302.1 - Unmanaged Scripting: Automation Account Hybrid Worker Group#

By utilizing an Automation Account configured with a Hybrid Worker Group, an attacker can execute Azure commands on any Azure VM within that Hybrid Worker Group.


Automation Account


  • Microsoft.Automation/automationAccounts/runbooks/draft/write
  • Microsoft.Automation/automationAccounts/runbooks/write
  • Microsoft.Automation/automationAccounts/runbooks/publish/action
  • Microsoft.Automation/automationAccounts/jobs/write


Detection Details#

It is recommended to turn on verbose logging for Automation Accounts. Note that the listed query requires Azure Diagnostics turned on for the resource.


Data Source Operation Name Action/On-Disk Location Log Provider
Resource Create an Azure Automation job Microsoft.Automation/automationAccounts/jobs/write AzureActivity
Resource Publish an Azure Automation runbook draft Microsoft.Automation/automationAccounts/runbooks/publish/action AzureActivity
Resource Write an Azure Automation runbook draft Microsoft.Automation/automationAccounts/runbooks/draft/write AzureActivity
Resource Create or Update an Azure Automation Runbook Microsoft.Automation/automationAccounts/runbooks/write AzureActivity
On Target Resource File (Windows) File Creation C:\Packages\Plugins\Microsoft.Azure.Automation.HybridWorker.HybridWorkerForWindows\\Status Event


Platform Query
Log Analytics AzureDiagnostics | where ResourceType == 'AUTOMATIONACCOUNTS' and RunOn_s != ''

Azure Monitor Alert#

Deploy to Azure