AZT302 - Unmanaged Scripting#
Adversaries may abuse access to serverless resources that are able to execute PowerShell or Python scripts on an Azure resource.
ID | Name | Description | Action | Resources |
---|---|---|---|---|
AZT302.1 | Automation Account Hybrid Worker Group | By utilizing an Automation Account configured with a Hybrid Worker Group, an attacker can execute Azure commands on any Azure VM within that Hybrid Worker Group. | Microsoft.Automation/automationAccounts/runbooks/* | Automation Account |
AZT302.2 | Automation Account Runbook RunAs Account | By utilizing an Automation Account configured with a RunAs account, an attacker can execute commands on an Azure VM via RunCommand (AZT301.1) if that service principal has the correct role and privileges. | Microsoft.Automation/automationAccounts/runbooks/* | Automation Account |
AZT302.3 | Automation Account Runbook Managed Identity | By utilizing an Automation Account configured with a Managed Identity, an attacker can execute commands on an Azure VM via RunCommand (AZT301.1) if that service principal has the correct role and privileges. | Microsoft.Automation/automationAccounts/runbooks/* | Automation Account |
AZT302.4 | Function Application | By utilizing a Function Application, an attacker can execute Azure operations on a given resource. | Microsoft.Web/sites/hostruntime/host/action | Function App |