AZT404.1 - Principal Impersonation: Function Application#

By utilizing a Function Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.

Resource

Function Application

Actions

Microsoft.Web/sites/hostruntime/vfs/run.csx/write
Microsoft.Web/sites/functions/write
Microsoft.Web/sites/write

Examples

Az PowerShellAzure CLIAzure REST APIAzure Portal

Update-AzFunctionApp

az functionapp update

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}?api-version=2021-02-01

functionapp

Detections

Logs#

Data Source	Operation Name	Action	Log Provider
Resource	Write Run.csx	Microsoft.Web/sites/hostruntime/vfs/run.csx/write	AzureActivity
Resource	Update Web Apps Functions	Microsoft.Web/sites/functions/write	AzureActivity
Resource	Update website	Microsoft.Web/sites/write	AzureActivity

Queries#

Platform	Query
Log Analytics	`let appname = toscalar(FunctionAppLogs \| where Type == 'FunctionAppLogs' and Message has 'Executed' \| project split(_ResourceId, '/')[-1]); AADManagedIdentitySignInLogs \| where ServicePrincipalName contains appname`

Azure Monitor Alert#

Additional Resources

https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=ps%2Cdotnet