Skip to content

AZT302.3 - Unmanaged Scripting: Automation Account RunAs Account#

By utilizing an Automation Account configured with a RunAs account, an attacker can execute commands on an Azure VM via RunCommand (AZT301.1) if that service principal has the correct role and privileges.

Resource

Automation Account

Actions

  • Microsoft.Automation/automationAccounts/runbooks/*

Detections

Logs#

Data Source Operation Name Action Log Location
Resource Create an Azure Automation job Microsoft.Automation/automationAccounts/jobs/write Azure Activity Log
Resource Publish an Azure Automation runbook draft Microsoft.Automation/automationAccounts/runbooks/publish/action Azure Activity Log
Resource Write an Azure Automation runbook draft Microsoft.Automation/automationAccounts/runbooks/draft/write Azure Activity Log
Resource Create or Update an Azure Automation Runbook Microsoft.Automation/automationAccounts/runbooks/write Azure Activity Log

Queries#

|where OperationNameValue=="Microsoft.Automation/automationAccounts/jobs/write" or OperationNameValue=="Microsoft.Automation/automationAccounts/runbooks/publish/action"
 or OperationNameValue=="Microsoft.Automation/automationAccounts/runbooks/draft/write" or OperationNameValue=="Microsoft.Automation/automationAccounts/runbooks/write"