AZT503.3 - HTTP Trigger: Runbook Webhook

Adversaries may create a webhook to a Runbook which allows unauthenticated access into an Azure subscription or tenant.

Resource

Automation Accounts

Actions

• Microsoft.Automation/automationAccounts/runbooks/*
• Microsoft.Automation/automationAccounts/webhooks/write

Examples

Az PowerShellAzure REST APIAzure Portal

New-AzAutomationWebhook

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Automation/automationAccounts/{automationAccountName}/webhooks/{webhookName}?api-version=2015-10-31

Detections

Logs

Data Source	Operation Name	Action	Log Provider
Resource	Create or Update an Azure Automation webhook	Microsoft.Automation/automationAccounts/webhooks/write	AzureActivity

Queries

Platform	Query
Log Analytics	AzureActivity | where OperationNameValue == 'MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE'

Azure Monitor Alert

Additional Resources

• https://docs.microsoft.com/en-us/azure/automation/automation-webhooks?tabs=portal
• https://www.netspi.com/blog/technical/cloud-penetration-testing/maintaining-azure-persistence-via-automation-accounts/