Skip to content

AZT404.1 - Principal Impersonation: Function Application#

By utilizing a Function Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.

Resource

Function Application

Actions

  • Microsoft.Web/sites/hostruntime/vfs/run.csx/write
  • Microsoft.Web/sites/functions/write
  • Microsoft.Web/sites/write

Detections

Logs#

Data Source Operation Name Action Log Location
Resource Write Run.csx Microsoft.Web/sites/hostruntime/vfs/run.csx/write Azure Activity Log
Resource Update Web Apps Functions Microsoft.Web/sites/functions/write Azure Activity Log
Resource Update website Microsoft.Web/sites/write Azure Activity Log

Queries#

AzureActivity 
|where OperationNameValue=="Microsoft.Web/sites/hostruntime/vfs/run.csx/write" or OperationNameValue=="Microsoft.Web/sites/functions/write"
or OperationNameValue=="Microsoft.Web/sites/write"