Cyberattack Bulletin: How Attackers Use Shodan & FOFA

Cyberattack Bulletin: How Attackers Use Shodan & FOFA

Vectra AI Japan、ITR発行の最新レポート内「NDR市場」にて国内トップシェアを獲得
詳細を見る
Hamburger icon top line
Hamburger icon middle line
Hamburger icon bottom line
Back to all detections

Azure Suspicious VM Automation Test

Azure Suspicious VM Automation Test
Overview
Possible Root Causes
Example Scenarios
Business Impact
Steps to Investigate
MITRE ATT&CK Techniques
Related Detections
FAQ

Detection overview

Triggers

  • Unusual modifications were made to a Runbook in an Azure Automation Account.
  • An unusual test job was run on an Azure Automation Account Runbook for an Azure VM before it was staged for execution.
  • A VM Runbook was updated or tested as part of legitimate business workflows.

Possible Root Causes

  • Compromised Service Principal: An attacker has gained access to a service principal account and is attempting unauthorized modifications.
  • Insider Threat: A user with elevated privileges is making malicious changes to the Runbook.
  • Unauthorized Automation: Automated deployment scripts are updating a Runbook without proper authorization.
  • Legitimate Development Activity: An authorized user is making changes to a Runbook as part of a valid development process.
  • Misconfigured Permissions: Improperly configured access levels within Azure are allowing unauthorized users to modify the Automation Account.

Business Impact

  • Exposure of sensitive data through unauthorized access or data leaks.
  • Security vulnerabilities exploited due to misconfigured Runbooks.
  • Unplanned changes to business logic or workflows.
  • Potential data breaches, unauthorized access to resources, disruption of critical business services, and reputational damage.

Steps to Verify

  • Review the Azure Activity Logs for the suspicious event, focusing on the user/service principal and the modified Runbook.
  • Inspect the Runbook code for signs of malicious activity.
  • To view the Runbook:
    • Navigate to the Automation Accounts service in Azure.
    • Identify the Automation Account associated with the Runbook.
    • Locate the Runbooks under the Process Automation tab for the selected Automation Account.
  • Investigate the user�s or service principal�s permissions and access levels within the Azure Automation Account.
  • Verify if other security alerts or notifications were triggered around the time of the suspicious event.
  • Check the associated Azure Virtual Machine for signs of malicious activity, such as unexpected changes to configuration or data.
Azure Suspicious VM Automation Test

Possible root causes

Malicious Detection

Benign Detection

Azure Suspicious VM Automation Test

Example scenarios

Azure Suspicious VM Automation Test

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Suspicious VM Automation Test

Steps to investigate

Azure Suspicious VM Automation Test

MITRE ATT&CK techniques covered

Account Manipulation

T1098

Application Layer Protocol

T1071
Azure Suspicious VM Automation Test

Related detections

No items found.

See our detections in action

Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.

Don't just read about the possibilities – experience them.

Launch the free tour
Ask for a custom demo

FAQs