AZT302.4 - Unmanaged Scripting: Function Application#

By utilizing a Function Application, an attacker can execute Azure operations on a given resource.

Resource

Automation Account

Actions

Microsoft.Web/sites/hostruntime/vfs/run.csx/write
Microsoft.Web/sites/functions/write
Microsoft.Web/sites/write

Examples

Az PowerShellAzure CLIAzure REST APIAzure Portal

Update-AzFunctionApp

az functionapp update

GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}/functions?api-version=2021-02-01

functionapp

Detections

Logs#

Data Source	Operation Name	Action	Log Location
Resource	Write Run.csx	Microsoft.Web/sites/hostruntime/vfs/run.csx/write	Azure Activity Log
Resource	Update Web Apps Functions	Microsoft.Web/sites/functions/write	Azure Activity Log
Resource	Update website	Microsoft.Web/sites/write	Azure Activity Log

Queries#

Log Analytics

 |where OperationNameValue=="Microsoft.Web/sites/hostruntime/vfs/run.csx/write" or OperationNameValue=="Microsoft.Web/sites/functions/write"
or OperationNameValue=="Microsoft.Web/sites/write"

Additional Resources

https://docs.microsoft.com/en-us/azure/azure-functions/functions-get-started?pivots=programming-language-powershell