Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
From the docs: Azure Automation delivers a cloud-based automation, operating system updates, and configuration service that supports consistent management across your Azure and non-Azure environments. It includes process automation, configuration management, update management, shared capabilities, and heterogeneous features.
These are like "scheduled tasks" in Azure that will let you execute things (actions or even scripts) to manage, check and configure the Azure environment.
When Run as Account is used, it creates an Azure AD application with self-signed certificate, creates a service principal and assigns the Contributor role for the account in the current subscription (a lot of privileges). Microsoft recommends using a Managed Identity for Automation Account.
This will be removed on September 30, 2023 and changed for Managed Identities.
Runbooks allow you to execute arbitrary PowerShell code. This could be abused by an attacker to steal the permissions of the attached principal (if any). In the code of Runbooks you could also find sensitive info (such as creds).
If you can read the jobs, do it as they contain the output of the run (potential sensitive info).
Go to Automation Accounts --> <Select Automation Account> --> Runbooks/Jobs/Hybrid worker groups/Watcher tasks/credentials/variables/certificates/connections
A Runbook can be run in a container inside Azure or in a Hybrid Worker (non-azure machine). The Log Analytics Agent is deployed on the VM to register it as a hybrid worker. The hybrid worker jobs run as SYSTEM on Windows and nxautomation account on Linux. Each Hybrid Worker is registered in a Hybrid Worker Group.
Therefore, if you can choose to run a Runbook in a Windows Hybrid Worker, you will execute arbitrary commands inside an external machine as System (nice pivot technique).
From the docs: Azure Automation State Configuration is an Azure configuration management service that allows you to write, manage, and compile PowerShell Desired State Configuration (DSC) configurations for nodes in any cloud or on-premises datacenter. The service also imports DSC Resources, and assigns configurations to target nodes, all in the cloud. You can access Azure Automation State Configuration in the Azure portal by selecting State configuration (DSC) under Configuration Management.
Sensitive information could be found in these configurations.
It's possible to abuse SC to run arbitrary scripts in the managed machines.
Az - State Configuration RCEYou could do the same thing modifying an existing Run Book, and from the web console.
Action Required: Create a new Automation Account.
Specific Setting: Ensure "Create Azure Run As account" is enabled.
Source: Download the sample runbook from MicroBurst GitHub Repository.
Actions Required:
Import the runbook into the Automation Account.
Publish the runbook to make it executable.
Attach a webhook to the runbook, enabling external triggers.
Action Required: Add the AzureAD module to the Automation Account.
Additional Step: Ensure all Azure Automation Modules are updated to their latest versions.
Roles to Assign:
User Administrator
Subscription Owner
Target: Assign these roles to the Automation Account for necessary privileges.
Note: Be aware that configuring such automation might lead to losing control over the subscription.
Trigger the webhook to create a new user by sending a POST request.
Use the PowerShell script provided, ensuring to replace the $uri with your actual webhook URL and updating the $AccountInfo with the desired username and password.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
