Skip to content

AZT503.1 - HTTP Trigger: Logic Application HTTP Trigger#

Adversaries may configure a Logic Application with a user account or managed identity and modify the HTTP trigger to run a command via HTTP request.

Resource

Logic Application

Actions

  • Microsoft.Logic/workflows/write
  • Microsoft.Logic/workflows/run/action
  • Microsoft.Logic/operations/read

Examples

Set-AzLogicApp

az logicapp start

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Logic/workflows/{workflowName}?api-version=2016-06-01

logicapp1 logicapp2

Detections

Logs#

Data Source Operation Name Action Log Provider
Resource Gets workflow recommend operation groups Microsoft.Logic/locations/workflows/recommendOperationGroups/action AzureActivity
Resource List Trigger Callback URL Microsoft.Logic/workflows/triggers/listCallbackUrl/action AzureActivity
Resource Add or Update Connection Microsoft.Web/connections/write AzureActivity

Queries#

Platform Query
Log Analytics AzureActivity | where OperationNameValue=='Microsoft.Logic/locations/workflows/recommendOperationGroups/action' or OperationNameValue=='Microsoft.Logic/workflows/triggers/listCallbackUrl/action' or OperationNameValue=='Microsoft.Web/connections/write'

Azure Monitor Alert#

Deploy to Azure

Additional Resources

https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-overview