Az - Automation Account
Basic Information
From the docs: Azure Automation delivers a cloud-based automation, operating system updates, and configuration service that supports consistent management across your Azure and non-Azure environments. It includes process automation, configuration management, update management, shared capabilities, and heterogeneous features.
These are like "scheduled tasks" in Azure that will let you execute things (actions or even scripts) to manage, check and configure the Azure environment.
Run As Account
When Run as Account is used, it creates an Azure AD application with self-signed certificate, creates a service principal and assigns the Contributor role for the account in the current subscription (a lot of privileges). Microsoft recommends using a Managed Identity for Automation Account.
This will be removed on September 30, 2023 and changed for Managed Identities.
Runbooks & Jobs
Runbooks allow you to execute arbitrary PowerShell code. This could be abused by an attacker to steal the permissions of the attached principal (if any). In the code of Runbooks you could also find sensitive info (such as creds).
If you can read the jobs, do it as they contain the output of the run (potential sensitive info).
Go to Automation Accounts
--> <Select Automation Account>
--> Runbooks/Jobs/Hybrid worker groups/Watcher tasks/credentials/variables/certificates/connections
Hybrid Worker
A Runbook can be run in a container inside Azure or in a Hybrid Worker (non-azure machine). The Log Analytics Agent is deployed on the VM to register it as a hybrid worker. The hybrid worker jobs run as SYSTEM on Windows and nxautomation account on Linux. Each Hybrid Worker is registered in a Hybrid Worker Group.
Therefore, if you can choose to run a Runbook in a Windows Hybrid Worker, you will execute arbitrary commands inside an external machine as System (nice pivot technique).
Compromise State Configuration (SC)
From the docs: Azure Automation State Configuration is an Azure configuration management service that allows you to write, manage, and compile PowerShell Desired State Configuration (DSC) configurations for nodes in any cloud or on-premises datacenter. The service also imports DSC Resources, and assigns configurations to target nodes, all in the cloud. You can access Azure Automation State Configuration in the Azure portal by selecting State configuration (DSC) under Configuration Management.
Sensitive information could be found in these configurations.
RCE
It's possible to abuse SC to run arbitrary scripts in the managed machines.
Az - State Configuration RCEEnumeration
Create a Runbook
Exfiltrate Creds & Variables defined in an Automation Account using a Run Book
You could do the same thing modifying an existing Run Book, and from the web console.
Steps for Setting Up an Automated Highly Privileged User Creation
1. Initialize an Automation Account
Action Required: Create a new Automation Account.
Specific Setting: Ensure "Create Azure Run As account" is enabled.
2. Import and Set Up Runbook
Source: Download the sample runbook from MicroBurst GitHub Repository.
Actions Required:
Import the runbook into the Automation Account.
Publish the runbook to make it executable.
Attach a webhook to the runbook, enabling external triggers.
3. Configure AzureAD Module
Action Required: Add the AzureAD module to the Automation Account.
Additional Step: Ensure all Azure Automation Modules are updated to their latest versions.
4. Permission Assignment
Roles to Assign:
User Administrator
Subscription Owner
Target: Assign these roles to the Automation Account for necessary privileges.
5. Awareness of Potential Access Loss
Note: Be aware that configuring such automation might lead to losing control over the subscription.
6. Trigger User Creation
Trigger the webhook to create a new user by sending a POST request.
Use the PowerShell script provided, ensuring to replace the
$uri
with your actual webhook URL and updating the$AccountInfo
with the desired username and password.
References
Last updated