AZT503.4 - HTTP Trigger: WebJob

Adversaries may create a WebJob on a App Service which allows arbitrary background tasks to be run on a set schedule

Resource

App Service

Actions

• Microsoft.Web/sites/Write

Examples

Az PowerShellAzure CLIAzure REST APIAzure Portal

Start-AzWebAppTriggeredWebJob

az webapp webjob triggered

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}/triggeredwebjobs/{webJobName}/run?api-version=2021-02-01

Detections

Detection Details

To enable logging on AppServices, a Diagnostic setting must be enabled to send logs to an aggregator. In addition, App Service Logs should be enabled.

WebJob output logs can be viewed on the web application in the format: https://{WEBAPPNAME}.scm.azurewebsites.net/azurejobs/#/jobs/

Detection Screenshot

Web Job LogsApplication Logs

Queries

Platform	Query
Log Analytics	#!sql

Azure Monitor Alert

Additional Resources

• https://github.com/Azure/azure-webjobs-sdk/wiki#documentation
• https://docs.microsoft.com/en-us/azure/app-service/webjobs-create