AZT302.3 - Unmanaged Scripting: Automation Account RunAs Account#
By utilizing an Automation Account configured with a RunAs account, an attacker can execute commands on an Azure VM via RunCommand (AZT301.1) if that service principal has the correct role and privileges.
Resource
Automation Account
Actions
- Microsoft.Automation/automationAccounts/runbooks/*
Examples
Detections
Logs#
Data Source | Operation Name | Action | Log Location |
---|---|---|---|
Resource | Create an Azure Automation job | Microsoft.Automation/automationAccounts/jobs/write | Azure Activity Log |
Resource | Publish an Azure Automation runbook draft | Microsoft.Automation/automationAccounts/runbooks/publish/action | Azure Activity Log |
Resource | Write an Azure Automation runbook draft | Microsoft.Automation/automationAccounts/runbooks/draft/write | Azure Activity Log |
Resource | Create or Update an Azure Automation Runbook | Microsoft.Automation/automationAccounts/runbooks/write | Azure Activity Log |
Queries#
|where OperationNameValue=="Microsoft.Automation/automationAccounts/jobs/write" or OperationNameValue=="Microsoft.Automation/automationAccounts/runbooks/publish/action"
or OperationNameValue=="Microsoft.Automation/automationAccounts/runbooks/draft/write" or OperationNameValue=="Microsoft.Automation/automationAccounts/runbooks/write"
Additional Resources
https://docs.microsoft.com/en-us/azure/automation/automation-runbook-execution