AZT302.3 - Unmanaged Scripting: Automation Account Managed Identity Account#
By utilizing an Automation Account configured with a Managed Identity, an attacker can execute commands on an Azure VM via RunCommand (AZT301.1) if that service principal has the correct role and privileges.
Resource
Automation Account
Actions
- Microsoft.Automation/automationAccounts/runbooks/*
Examples
Detections
Detection Details#
Note that the listed query requires Azure Diagnostics turned on for the resource.
Logs#
Data Source | Operation Name | Action | Log Provider |
---|---|---|---|
Resource | Create an Azure Automation job | Microsoft.Automation/automationAccounts/jobs/write | AzureActivity |
Resource | Publish an Azure Automation runbook draft | Microsoft.Automation/automationAccounts/runbooks/publish/action | AzureActivity |
Resource | Write an Azure Automation runbook draft | Microsoft.Automation/automationAccounts/runbooks/draft/write | AzureActivity |
Resource | Create or Update an Azure Automation Runbook | Microsoft.Automation/automationAccounts/runbooks/write | AzureActivity |
Queries#
Platform | Query |
---|---|
Log Analytics | `#!sql |
## Queries |
Platform | Query |
---|---|
Log Analytics | AzureDiagnostics | where ResultDescription has 'TenantId' and ResultDescription has 'SubscriptionName' and ResultDescription has 'Account' and ResourceType == 'AUTOMATIONACCOUNTS' |
` |
Azure Monitor Alert#
Additional Resources
https://docs.microsoft.com/en-us/azure/automation/automation-runbook-execution