Azure API calls indicating Automation runbook modification
Description
AlphaSOC detected modifications to an Azure Automation runbook. Adversaries may modify existing runbooks to inject malicious code or backdoors, leveraging the trusted automation infrastructure to execute unauthorized commands. This technique enables persistence and execution of malicious activities within the cloud environment while potentially evading detection.
Impact
Modified runbooks can execute malicious code with the permissions of the Automation Account, potentially affecting multiple Azure resources. Attackers may use this technique to maintain persistent access, steal credentials, manipulate data, or pivot to other systems. The legitimate appearance of modified runbooks can make detection challenging.
Severity
| Severity | Condition |
|---|---|
Low | Runbook modification by a user for the first time |
Investigation and Remediation
Review the runbook's modification history and compare the current version with previous versions to identify changes. Verify the identity of the user who made the modifications and confirm the changes were authorized. Examine the modified code for suspicious commands, encoded payloads, or external connections. If unauthorized changes are detected, restore the runbook to a known good state and investigate the user's account for compromise.
Known False Positives
- Routine updates to automation scripts by administrators
- DevOps teams modifying runbooks as part of normal workflows
- Scheduled maintenance or improvements to existing automation