Microsoft.Automation/automationAccounts/webhooks/write
Event
Creates or updates a webhook that can trigger an Azure Automation runbook remotely.
Security Context
- Automation services can be weaponized to execute scripts across multiple resources simultaneously, enabling rapid lateral movement.
Log Source
Azure Activity Log
Sample Event
MITRE ATT&CK Mapping
Tactics: Persistence Execution
Techniques:
- T1072 — Software Deployment Tools — Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine adminis...
- T1546 — Event Triggered Execution — Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries.