AZT404.1 - Principal Impersonation: Function Application#
By utilizing a Function Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.
Resource
Function Application
Actions
- Microsoft.Web/sites/hostruntime/vfs/run.csx/write
- Microsoft.Web/sites/functions/write
- Microsoft.Web/sites/write
Examples
Detections
Logs#
Data Source | Operation Name | Action | Log Location |
---|---|---|---|
Resource | Write Run.csx | Microsoft.Web/sites/hostruntime/vfs/run.csx/write | Azure Activity Log |
Resource | Update Web Apps Functions | Microsoft.Web/sites/functions/write | Azure Activity Log |
Resource | Update website | Microsoft.Web/sites/write | Azure Activity Log |
Queries#
AzureActivity
|where OperationNameValue=="Microsoft.Web/sites/hostruntime/vfs/run.csx/write" or OperationNameValue=="Microsoft.Web/sites/functions/write"
or OperationNameValue=="Microsoft.Web/sites/write"