Azure Automation Runbook Created or Modified
Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/18"
3integration = ["azure"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
13Automation runbook to execute malicious code and maintain persistence in their target's environment.
14"""
15from = "now-25m"
16index = ["filebeat-*", "logs-azure*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Azure Automation Runbook Created or Modified"
20note = """## Setup
21
22The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
23references = [
24 "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
25 "https://github.com/hausec/PowerZure",
26 "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
27 "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/",
28]
29risk_score = 21
30rule_id = "16280f1e-57e6-4242-aa21-bb4d16f13b2f"
31severity = "low"
32tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence"]
33timestamp_override = "event.ingested"
34type = "query"
35
36query = '''
37event.dataset:azure.activitylogs and
38 azure.activitylogs.operation_name:
39 (
40 "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE" or
41 "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE" or
42 "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION"
43 ) and
44 event.outcome:(Success or success)
45'''
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
Operational Add-AzureADGroupMember Synopsis Adds a user to an Azure AD Group Syntax Add-AzureADGroupMember -User [UPN] -Group [Group name] Description Adds a user to an AAD group. If the group name...
Read More -
PowerShell framework to assess Azure security. Contribute to hausec/PowerZure development by creating an account on GitHub.
Read More -
Related rules
- Azure Automation Webhook Created
- Azure Conditional Access Policy Modified
- User Added as Owner for Azure Application
- User Added as Owner for Azure Service Principal
- Application Added to Google Workspace Domain