Azure Automation Runbook Created or Modified
Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/18"
3integration = ["azure"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
11Automation runbook to execute malicious code and maintain persistence in their target's environment.
12"""
13from = "now-25m"
14index = ["filebeat-*", "logs-azure*"]
15language = "kuery"
16license = "Elastic License v2"
17name = "Azure Automation Runbook Created or Modified"
18note = """## Setup
19
20The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
21references = [
22 "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
23 "https://github.com/hausec/PowerZure",
24 "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
25 "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/",
26]
27risk_score = 21
28rule_id = "16280f1e-57e6-4242-aa21-bb4d16f13b2f"
29severity = "low"
30tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence"]
31timestamp_override = "event.ingested"
32type = "query"
33
34query = '''
35event.dataset:azure.activitylogs and
36 azure.activitylogs.operation_name:
37 (
38 "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE" or
39 "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE" or
40 "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION"
41 ) and
42 event.outcome:(Success or success)
43'''
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
Operational Add-AzureADGroupMember Synopsis Adds a user to an Azure AD Group Syntax Add-AzureADGroupMember -User [UPN] -Group [Group name] Description Adds a user to an AAD group. If the group name...
Read More -
PowerShell framework to assess Azure security. Contribute to hausec/PowerZure development by creating an account on GitHub.
Read More -
Related rules
- Azure Automation Webhook Created
- Azure Conditional Access Policy Modified
- User Added as Owner for Azure Application
- User Added as Owner for Azure Service Principal
- Azure AD Global Administrator Role Assigned