Azure Automation runbook created
Description
AlphaSOC detected the creation of an Azure Automation runbook. Runbooks are scripts that execute within Automation Accounts to perform automated tasks across Azure resources. Adversaries may create runbooks to establish persistence, execute malicious code using cloud APIs, or automate post-compromise activities.
Impact
Malicious runbooks can execute arbitrary code within the Azure environment, allowing attackers to maintain persistent access, modify cloud resources, exfiltrate data, or pivot to other systems. Automation runbooks run with the permissions of the Automation Account, potentially providing broad access to Azure resources if the account has elevated privileges.
Severity
| Severity | Condition |
|---|---|
Informational | Azure Automation runbook created |
Investigation and Remediation
Review the newly created runbook's content and purpose. Verify the identity of the user who created it and confirm the action was authorized. Examine the Automation Account's permissions and run-as credentials. If the runbook is unauthorized, delete it immediately, review the Automation Account for additional modifications, and investigate the user's recent activity for signs of compromise.
Known False Positives
- Legitimate infrastructure automation and DevOps activities
- Scheduled maintenance scripts created by administrators
- Third-party management tools that use Azure Automation