Skip to content

Microsoft.Automation/automationAccounts/jobs/write

Azure

Microsoft.Automation/automationAccounts/jobs/write

service: Azure - Automation
techniques:

Event

Creates or starts a runbook job in an Azure Automation account.

Security Context

  • Automation services can be weaponized to execute scripts across multiple resources simultaneously, enabling rapid lateral movement.

Log Source

Azure Activity Log

Sample Event

Adversarial. Compromised user draco@fantasticlogs.cloud starts a runbook job for the Backup-OffSite runbook (an existing legitimate runbook) on a Hybrid Runbook Worker that has line-of-sight to on-prem AD. The runbook is hijacked to dump the OnPremDomainAdmin credential value (read in the previous event) by calling Get-AutomationPSCredential -Name OnPremDomainAdmin and writing it to runbook output. Output is captured in the job stream — Draco then reads the output via jobs/read. Maps to T1072 (Software Deployment Tools) + T1059 (Command and Scripting Interpreter).

{
"authorization": {
"action": "Microsoft.Automation/automationAccounts/jobs/write",
"scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Automation/automationAccounts/aa-occamy-automation/jobs/90000000-0000-4000-8000-000010001000"
},
"caller": "draco@fantasticlogs.cloud",
"channels": "Operation",
"claims": {
"aud": "https://management.core.windows.net/",
"iss": "https://sts.windows.net/10000000-0000-4000-8000-000000000001/",
"appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"ipaddr": "203.0.113.66",
"name": "Draco Malfoy",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010",
"http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud"
},
"correlationId": "90000000-0000-4000-8000-000010001000",
"description": "",
"eventDataId": "90000000-0000-4000-8000-000010001001",
"eventName": {
"value": "EndRequest",
"localizedValue": "End request"
},
"category": {
"value": "Administrative",
"localizedValue": "Administrative"
},
"eventTimestamp": "2026-04-15T21:08:32.7382194Z",
"id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Automation/automationAccounts/aa-occamy-automation/jobs/90000000-0000-4000-8000-000010001000/events/90000000-0000-4000-8000-000010001001/ticks/638798227127382194",
"level": "Informational",
"operationId": "90000000-0000-4000-8000-000010001010",
"operationName": {
"value": "Microsoft.Automation/automationAccounts/jobs/write",
"localizedValue": "Create or Update an Azure Automation job"
},
"resourceGroupName": "rg-occamy-pipeline",
"resourceProviderName": {
"value": "Microsoft.Automation",
"localizedValue": "Microsoft.Automation"
},
"resourceType": {
"value": "Microsoft.Automation/automationAccounts/jobs",
"localizedValue": "Microsoft.Automation/automationAccounts/jobs"
},
"resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Automation/automationAccounts/aa-occamy-automation/jobs/90000000-0000-4000-8000-000010001000",
"status": {
"value": "Succeeded",
"localizedValue": "Succeeded"
},
"subStatus": {
"value": "Created",
"localizedValue": "Created (HTTP Status Code: 201)"
},
"submissionTimestamp": "2026-04-15T21:08:33.0218732Z",
"subscriptionId": "20000000-0000-4000-8000-000000000001",
"tenantId": "10000000-0000-4000-8000-000000000001",
"properties": {
"statusCode": "Created",
"serviceRequestId": null,
"requestbody": "{\"properties\":{\"runbook\":{\"name\":\"Backup-OffSite\"},\"parameters\":{},\"runOn\":\"hybrid-worker-occamy-01\"}}",
"eventCategory": "Administrative",
"entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Automation/automationAccounts/aa-occamy-automation/jobs/90000000-0000-4000-8000-000010001000",
"message": "Microsoft.Automation/automationAccounts/jobs/write",
"hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001"
},
"relatedEvents": [],
"httpRequest": {
"clientRequestId": "90000000-0000-4000-8000-000010001011",
"clientIpAddress": "203.0.113.66",
"method": "PUT",
"url": "https://management.azure.com/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Automation/automationAccounts/aa-occamy-automation/jobs/90000000-0000-4000-8000-000010001000?api-version=2023-11-01"
},
"identity": null
}

MITRE ATT&CK Mapping

Tactics: Execution Persistence

Techniques:
  • T1072 — Software Deployment Tools — Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine adminis...
  • T1059 — Command and Scripting Interpreter — Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface a...