security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Azure Automation Account Created (#177)

Browse Source 
* new-rule-azure-automation-account-created

* Fix rule name format 😄

* Update rules/azure/persistence_azure_automation_account_created.toml

Update maturity to production

* Update rules/azure/persistence_azure_automation_account_created.toml

Update ecs_version to 1.6.0

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
This commit is contained in:
David French
2020-09-03 11:08:38 -06:00
committed by GitHub
parent 6e931959bb
commit 85e799b378
1 changed files with 62 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/azure/persistence_azure_automation_account_created.toml
+62
View File
@@ -0,0 +1,62 @@
[metadata]
creation_date = "2020/08/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/18"
[rule]
author = ["Elastic"]
description = """
Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management
tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain
persistence in their target's environment.
"""
from = "now-25m"
index = ["filebeat-*"]
language = "kuery"
license = "Elastic License"
name = "Azure Automation Account Created"
note = "The Azure Filebeat module must be enabled to use this rule."
references = [
"https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
"https://github.com/hausec/PowerZure",
"https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
"https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/",
]
risk_score = 21
rule_id = "df26fd74-1baa-4479-b42e-48da84642330"
severity = "low"
tags = ["Azure", "Continuous Monitoring", "Elastic", "Identity and Access", "SecOps"]
type = "query"
query = '''
event.module:azure and event.dataset:azure.activitylogs and event.category:Administrative and azure.activitylogs.operation_name:MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE and event.outcome:Success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"