Azure Automation Runbook Deleted

Elastic Stack Serverless Security

Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to disrupt their target’s automated business operations or to remove a malicious runbook for defense evasion.

Rule type: query

Rule indices:

• filebeat-*
• logs-azure*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-25m (https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math[Date Math format], see also Additional look-back time)

Maximum alerts per execution: 100

References:

• https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor
• https://github.com/hausec/PowerZure
• https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a
• https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/

Tags:

• Elastic
• Cloud
• Azure
• Continuous Monitoring
• SecOps
• Configuration Audit
• Defense Evasion

Version: 101

Rule authors:

• Elastic

Rule license: Elastic License v2

event.dataset:azure.activitylogs and
    azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE" and
    event.outcome:(Success or success)

Framework: MITRE ATT&CKTM

• Tactic:

  • Name: Defense Evasion
  • ID: TA0005
  • Reference URL: https://attack.mitre.org/tactics/TA0005/