Skip to content

AZT302 - Unmanaged Scripting#

Adversaries may abuse access to serverless resources that are able to execute PowerShell or Python scripts on an Azure resource.

ID Name Description Action Resources
AZT302.1 Automation Account Hybrid Worker Group By utilizing an Automation Account configured with a Hybrid Worker Group, an attacker can execute Azure commands on any Azure VM within that Hybrid Worker Group. Microsoft.Automation/automationAccounts/runbooks/* Automation Account
AZT302.2 Automation Account Runbook RunAs Account By utilizing an Automation Account configured with a RunAs account, an attacker can execute commands on an Azure VM via RunCommand (AZT301.1) if that service principal has the correct role and privileges. Microsoft.Automation/automationAccounts/runbooks/* Automation Account
AZT302.3 Automation Account Runbook Managed Identity By utilizing an Automation Account configured with a Managed Identity, an attacker can execute commands on an Azure VM via RunCommand (AZT301.1) if that service principal has the correct role and privileges. Microsoft.Automation/automationAccounts/runbooks/* Automation Account
AZT302.4 Function Application By utilizing a Function Application, an attacker can execute Azure operations on a given resource. Microsoft.Web/sites/hostruntime/host/action Function App