Azure Anomalous App Service WebJob Activity

Azure Anomalous App Service WebJob Activity

Detection overview

Triggers

  • Unusual creation or modification of Azure App Service WebJob configurations.
  • Frequent or repetitive execution of WebJobs with unknown or suspicious triggers.
  • Changes to existing WebJobs that could indicate malicious intent.

Possible Root Causes

  • Compromised Identity: An attacker has gained access to an identity and is attempting to deploy a malicious application.
  • Unauthorized Modifications: An unauthorized user or service principal is creating or modifying WebJobs with elevated permissions.
  • Misconfigured or Compromised Resources: Security gaps in Azure resources are leading to unexpected WebJob behavior.
  • Insufficient Monitoring: Inadequate security controls allow suspicious activity to go undetected.
  • Legitimate Development Activity: A developer is creating or modifying a WebJob as part of a valid application deployment or maintenance process.

Business Impact

  • Data breaches and unauthorized access to sensitive information.
  • Denial-of-Service (DoS) attacks or resource exhaustion due to malicious code execution.
  • Compliance and regulatory risks due to security vulnerabilities.
  • Unintended changes to production data or systems caused by untested or unauthorized WebJobs.

Steps to Verify

  • Investigate the Azure Resource Group or Subscription: Review the environment where suspicious WebJob activity was detected.
  • Analyze Azure Activity Logs: Look for anomalies in WebJob creation, modification, or execution.
  • Inspect WebJob Configurations and Code: Check for signs of malicious intent, unauthorized access, or suspicious behavior.
  • Review User and Service Principal Permissions: Ensure that only authorized identities have the ability to create or modify WebJobs.
Azure Anomalous App Service WebJob Activity

Possible root causes

Malicious Detection

Benign Detection

Azure Anomalous App Service WebJob Activity

Example scenarios

Azure Anomalous App Service WebJob Activity

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Anomalous App Service WebJob Activity

Steps to investigate

Azure Anomalous App Service WebJob Activity

MITRE ATT&CK techniques covered

Azure Anomalous App Service WebJob Activity

Related detections

No items found.

FAQs