AZT302.1 - Unmanaged Scripting: Automation Account Hybrid Worker Group#

By utilizing an Automation Account configured with a Hybrid Worker Group, an attacker can execute Azure commands on any Azure VM within that Hybrid Worker Group.

Resource

Automation Account

Actions

Microsoft.Automation/automationAccounts/runbooks/draft/write
Microsoft.Automation/automationAccounts/runbooks/write
Microsoft.Automation/automationAccounts/runbooks/publish/action
Microsoft.Automation/automationAccounts/jobs/write

Examples

Az PowerShellAzure CLIAzure REST APIAzure Portal

New-AzAutomationRunbook

az automation runbook create

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Automation/automationAccounts/{automationAccountName}/runbooks/{runbookName}?api-version=2019-06-01

runbook

Detections

Detection Details#

It is recommended to turn on verbose logging for Automation Accounts. Note that the listed query requires Azure Diagnostics turned on for the resource.

Logs#

Data Source	Operation Name	Action/On-Disk Location	Log Provider
Resource	Create an Azure Automation job	Microsoft.Automation/automationAccounts/jobs/write	AzureActivity
Resource	Publish an Azure Automation runbook draft	Microsoft.Automation/automationAccounts/runbooks/publish/action	AzureActivity
Resource	Write an Azure Automation runbook draft	Microsoft.Automation/automationAccounts/runbooks/draft/write	AzureActivity
Resource	Create or Update an Azure Automation Runbook	Microsoft.Automation/automationAccounts/runbooks/write	AzureActivity
On Target Resource File (Windows)	File Creation	C:\Packages\Plugins\Microsoft.Azure.Automation.HybridWorker.HybridWorkerForWindows\0.1.0.18\Status	Event

Queries#

Platform	Query
Log Analytics	`AzureDiagnostics \| where ResourceType == 'AUTOMATIONACCOUNTS' and RunOn_s != ''`

Azure Monitor Alert#

Additional Resources

https://docs.microsoft.com/en-us/azure/automation/automation-runbook-execution