Azure Suspicious App Service Creation or Modification

Azure Suspicious App Service Creation or Modification

Detection overview

Triggers

  • Modification of an existing Azure Function App Service with unusual parameters or logic.
  • Unusual changes to App Service triggers, bindings, or storage accounts.
  • Unusual creation or modification of Azure Functions by an unexpected or unauthorized user/service principal, potentially indicating malicious activity.

Possible Root Causes

  • Compromised Principal Account: An attacker has gained access and is attempting unauthorized modifications.
  • Development Activity: A developer is creating or modifying an Azure Function App Service runtime version.
  • Automated Deployment: Previously unused deployment scripts are updating the function code or configuration.
  • Legitimate Development Process: A developer is creating a new function or modifying an existing one as part of standard operations.

Business Impact

  • Exposure of sensitive data through unauthorized access or data leaks.
  • Security vulnerabilities exploited due to misconfigured functions or storage accounts.
  • Unplanned changes to business logic or workflows.
  • Potential data breaches, unauthorized access to sensitive resources, disruption of critical business services, and reputational damage.

Steps to Verify

  • Review Azure Activity Logs: Investigate the user/service principal and the created or modified App Service.
  • Investigate Permissions: Check the user's or service principal's access levels within Azure.
  • Correlate Security Alerts: Verify if other security alerts or notifications were triggered around the time of the suspicious event.
  • Inspect Function Code: Analyze the Azure Function code for signs of malicious activity.
  • Consult Stakeholders: Work with Azure administrators, security teams, and relevant stakeholders to determine the cause and scope of the incident.
Azure Suspicious App Service Creation or Modification

Possible root causes

Malicious Detection

Benign Detection

Azure Suspicious App Service Creation or Modification

Example scenarios

Azure Suspicious App Service Creation or Modification

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Suspicious App Service Creation or Modification

Steps to investigate

Azure Suspicious App Service Creation or Modification

MITRE ATT&CK techniques covered

Azure Suspicious App Service Creation or Modification

Related detections

No items found.

FAQs