AZT302.1 - Unmanaged Scripting: Automation Account Hybrid Worker Group#
By utilizing an Automation Account configured with a Hybrid Worker Group, an attacker can execute Azure commands on any Azure VM within that Hybrid Worker Group.
Resource
Automation Account
Actions
- Microsoft.Automation/automationAccounts/runbooks/draft/write
- Microsoft.Automation/automationAccounts/runbooks/write
- Microsoft.Automation/automationAccounts/runbooks/publish/action
- Microsoft.Automation/automationAccounts/jobs/write
Examples
Detections
Detection Details#
It is recommended to turn on verbose logging for Automation Accounts.
Logs#
| Data Source | Operation Name | Action | Log Location |
|---|---|---|---|
| Resource | Create an Azure Automation job | Microsoft.Automation/automationAccounts/jobs/write | Azure Activity Log |
| Resource | Publish an Azure Automation runbook draft | Microsoft.Automation/automationAccounts/runbooks/publish/action | Azure Activity Log |
| Resource | Write an Azure Automation runbook draft | Microsoft.Automation/automationAccounts/runbooks/draft/write | Azure Activity Log |
| Resource | Create or Update an Azure Automation Runbook | Microsoft.Automation/automationAccounts/runbooks/write | Azure Activity Log |
| On Target Resource File (Windows) | File Creation | N/A | C:\Packages\Plugins\Microsoft.Azure.Automation.HybridWorker.HybridWorkerForWindows\0.1.0.18\Status |
Queries#
|where OperationNameValue=="Microsoft.Automation/automationAccounts/jobs/write" or OperationNameValue=="Microsoft.Automation/automationAccounts/runbooks/publish/action"
or OperationNameValue=="Microsoft.Automation/automationAccounts/runbooks/draft/write" or OperationNameValue=="Microsoft.Automation/automationAccounts/runbooks/write"
Additional Resources
https://docs.microsoft.com/en-us/azure/automation/automation-runbook-execution