AZT302.3 - Unmanaged Scripting: Automation Account RunAs Account#

By utilizing an Automation Account configured with a RunAs account, an attacker can execute commands on an Azure VM via RunCommand (AZT301.1) if that service principal has the correct role and privileges.

Resource

Automation Account

Actions

Microsoft.Automation/automationAccounts/runbooks/*

Examples

Az PowerShellAzure CLIAzure REST APIAzure Portal

New-AzAutomationRunbook

az automation runbook create

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Automation/automationAccounts/{automationAccountName}/runbooks/{runbookName}?api-version=2019-06-01

runbook

Detections

Logs#

Data Source	Operation Name	Action	Log Location
Resource	Create an Azure Automation job	Microsoft.Automation/automationAccounts/jobs/write	Azure Activity Log
Resource	Publish an Azure Automation runbook draft	Microsoft.Automation/automationAccounts/runbooks/publish/action	Azure Activity Log
Resource	Write an Azure Automation runbook draft	Microsoft.Automation/automationAccounts/runbooks/draft/write	Azure Activity Log
Resource	Create or Update an Azure Automation Runbook	Microsoft.Automation/automationAccounts/runbooks/write	Azure Activity Log

Queries#

Log Analytics

|where OperationNameValue=="Microsoft.Automation/automationAccounts/jobs/write" or OperationNameValue=="Microsoft.Automation/automationAccounts/runbooks/publish/action"
 or OperationNameValue=="Microsoft.Automation/automationAccounts/runbooks/draft/write" or OperationNameValue=="Microsoft.Automation/automationAccounts/runbooks/write"

Additional Resources

https://docs.microsoft.com/en-us/azure/automation/automation-runbook-execution