Cyberattack Bulletin: How Attackers Use Shodan & FOFA

Cyberattack Bulletin: How Attackers Use Shodan & FOFA

Vectra AI Japan、ITR発行の最新レポート内「NDR市場」にて国内トップシェアを獲得
詳細を見る
Hamburger icon top line
Hamburger icon middle line
Hamburger icon bottom line
Back to all detections

Azure Suspicious VM Automation Execution

Azure Suspicious VM Automation Execution
Overview
Possible Root Causes
Example Scenarios
Business Impact
Steps to Investigate
MITRE ATT&CK Techniques
Related Detections
FAQ

Detection overview

Triggers

  • Unusual execution of a VM Azure Runbook by an unexpected or unauthorized user/service principal.
  • Unusual changes to Runbook execution permissions.
  • Runbooks are being executed (deployed) for legitimate business use cases.

Possible Root Causes

  • Compromised Principal Account: An attacker has gained access to a service principal or user account and is executing malicious Runbooks.
  • Misconfigured Runbook: An administrator or developer has inadvertently created or modified a Runbook with unusual logic.
  • Unauthorized Automation: Automated deployment scripts are updating or executing Runbooks without proper authorization.
  • Legitimate Business Process: A valid business process involves running Runbooks, but execution frequency or parameters have been altered in an unexpected way.

Business Impact

  • Exposure of sensitive data due to unauthorized access or data leaks.
  • Security vulnerabilities exploited through misconfigured VMs or Runbooks.
  • Disruption of critical business services and reputational damage due to unplanned system downtime.
  • Unauthorized changes to business logic or workflows, leading to financial losses or compliance issues.

Steps to Verify

  • Review Azure Activity Logs for the suspicious event, focusing on the user/service principal and the executed Runbook.
  • Investigate the user�s or service principal�s permissions and access levels within Azure.
  • Verify if other security alerts or notifications were triggered around the time of the suspicious event.
  • Inspect the Runbook code for signs of malicious activity.
  • To view the Runbook:
    • Navigate to the Automation Accounts service in Azure.
    • Identify the Automation Account associated with the Runbook.
    • Locate the Runbooks under the Process Automation tab for the selected Automation Account.
  • Consult with Azure administrators, security teams, and relevant stakeholders to determine the cause and scope of the incident.
  • If the review indicates malicious actions, isolate the virtual machine for further investigation and remediation.
Azure Suspicious VM Automation Execution

Possible root causes

Malicious Detection

Benign Detection

Azure Suspicious VM Automation Execution

Example scenarios

Azure Suspicious VM Automation Execution

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Suspicious VM Automation Execution

Steps to investigate

Azure Suspicious VM Automation Execution

MITRE ATT&CK techniques covered

Remote Service Session Hijacking

T1563
Azure Suspicious VM Automation Execution

Related detections

No items found.

See our detections in action

Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.

Don't just read about the possibilities – experience them.

Launch the free tour
Ask for a custom demo

FAQs