Azure Suspicious Automation DSC Execution

Azure Suspicious Automation DSC Execution

Detection overview

Triggers

  • Unusual changes to VM configuration or Hybrid Environment using Azure Automation Account with DSC (Desired State Configuration).
  • Modification of existing DSC configurations with unusual parameters or logic.
  • Unusual creation or modification of DSC resources by an unexpected or unauthorized user/service principal.
  • Possible misuse of DSC for malicious purposes, such as lateral movement or privilege escalation.

Possible Root Causes

  • The VM or hybrid machine has been compromised by an attacker who is using DSC to maintain persistence and evade detection.
  • DSC has been misconfigured by a user, leading to unintended behavior and potential security issues.
  • An unauthorized user or service principal has gained access to the Azure environment and is using DSC for malicious purposes.
  • Automated deployment scripts not previously used are updating the DSC configurations.

Business Impact

  • Exposure of sensitive data through unauthorized access or data leaks
  • Security vulnerabilities exploited due to misconfigured resources or DSC configurations
  • Unplanned changes to business logic or workflows
  • Potential data breaches, unauthorized access to resources, disruption of critical business services, and reputational damage

Steps to Verify

  • Review Azure Activity Logs: Investigate the user/service principal and the affected VM for suspicious activity.
  • Audit DSC Configurations for Azure Automation Accounts: Review the DSC configurations for unusual changes or modifications. To view the DSC service:
    - Navigate to the 'Automation Accounts' service in Azure.
    - Identity the Automation Account associated to the DSC service.
    - DSC can be found under the 'Configuration Management' tab for the selected Automation Account.
  • Check Network Traffic: Examine network traffic to and from the VM to detect any potential lateral movement or communication with malicious actors.
  • Conduct a Security Audit: Perform a thorough security audit of the affected VM and its resources to identify any vulnerabilities or misconfigurations.
  • Consult with Azure Administrators: Work with Azure administrators, security teams, and relevant stakeholders to determine the cause and scope of the incident.
Azure Suspicious Automation DSC Execution

Possible root causes

Malicious Detection

Benign Detection

Azure Suspicious Automation DSC Execution

Example scenarios

Azure Suspicious Automation DSC Execution

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Suspicious Automation DSC Execution

Steps to investigate

Azure Suspicious Automation DSC Execution

MITRE ATT&CK techniques covered

Azure Suspicious Automation DSC Execution

Related detections

No items found.

FAQs