AZT404.2 - Principal Impersonation: Logic Application#

By utilizing a Logic Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.

Resource

Logic Application

Actions

Microsoft.Logic/workflows/write
Microsoft.Logic/workflows/run/action
Microsoft.Logic/operations/read

Examples

Az PowerShellAzure CLIAzure REST APIAzure Portal

Set-AzLogicApp

az logicapp start

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Logic/workflows/{workflowName}?api-version=2016-06-01

logicapp

Detections

Logs#

Data Source	Operation Name	Action	Log Location
Resource	Gets workflow recommend operation groups	Microsoft.Logic/locations/workflows/recommendOperationGroups/action	Azure Activity Log
Resource	List Trigger Callback URL	Microsoft.Logic/workflows/triggers/listCallbackUrl/action	Azure Activity Log
Resource	Add or Update Connection	Microsoft.Web/connections/write	Azure Activity Log
Azure Active Directory	Update website	Microsoft.Web/sites/write	AzureAD Audit Logs
Azure Active Directory	Start Web App	Microsoft.Web/sites/start/action	AzureAD Audit Logs

Queries#

Log Analytics

AzureActivity 
 |where OperationNameValue=="Microsoft.Logic/locations/workflows/recommendOperationGroups/action" or OperationNameValue=="Microsoft.Logic/workflows/triggers/listCallbackUrl/action"
or OperationNameValue=="Microsoft.Web/connections/write" or OperationNameValue=="Microsoft.Web/sites/write" or OperationNameValue=="Microsoft.Web/sites/start/action"

Additional Resources

https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-overview