Azure Suspicious Hybrid Automation Execution

Triggers

• Unusual execution of an Azure Automation Runbook on a hybrid machine by an unexpected or unauthorized user/service principal.
• Unusual changes to Runbook execution permissions.
• Runbooks are being executed (deployed) on hybrid machines for legitimate business use-cases.

Possible Root Causes

• A compromised principal account is attempting to execute malicious Runbooks.
• An administrator or developer has inadvertently created or modified a Runbook with unusual logic.
• Automated deployment scripts are updating Runbooks without proper authorization.
• A legitimate business process involves running Runbooks, but the execution frequency or parameters have been altered.

Business Impact

• Exposure of sensitive data due to unauthorized access or data leaks.
• Security vulnerabilities exploited through misconfigured VMs or runbooks or hybrid enviroments.
• Disruption of critical business services and reputational damage due to unplanned system downtime.
• Unauthorized changes to business logic or workflows, leading to financial losses or compliance issues.

Steps to Verify

• Review Azure Activity Logs for the suspicious event, focusing on the user/service principal and the executed hybrid Runbook.
• Investigate the user’s or service principal’s permissions and access levels within Azure.
• Verify if other security alerts or notifications were triggered around the time of the suspicious event.
• Inspect the Runbook code for signs of malicious activity. To view the Runbook:
  - Navigate to the 'Automation Accounts' service in Azure
  - Identity the Automation Account associated to the Runbook
  - The Runbooks can be found under the 'Process Automation' tab for the selected Automation Account
• Consult with Azure administrators, security teams, and relevant stakeholders to determine the cause and scope of the incident.
• If review indicates malicious actions, isolate the hybrid machine group for further investigation or member workers and remediate.