From 0d9b4e5917c4325d13fbd4ff3115e079ed7dafc8 Mon Sep 17 00:00:00 2001 From: Carlos Polop Date: Mon, 17 Feb 2025 18:08:59 +0100 Subject: [PATCH] aa persistence --- .../az-automation-accounts-persistence.md | 38 +++++++++++++++++++ .../az-services/az-automation-accounts.md | 6 +++ 2 files changed, 44 insertions(+) create mode 100644 src/pentesting-cloud/azure-security/az-persistence/az-automation-accounts-persistence.md diff --git a/src/pentesting-cloud/azure-security/az-persistence/az-automation-accounts-persistence.md b/src/pentesting-cloud/azure-security/az-persistence/az-automation-accounts-persistence.md new file mode 100644 index 000000000..8c176976e --- /dev/null +++ b/src/pentesting-cloud/azure-security/az-persistence/az-automation-accounts-persistence.md @@ -0,0 +1,38 @@ +# Az - Automation Accounts Persistence + +{{#include ../../../banners/hacktricks-training.md}} + +## Storage Privesc + +For more information about Automation Accounts check: + +{{#ref}} +../az-services/az-automation-account.md +{{#endref}} + + +### Backdoor existing runbook + +If an attacker has access to the automation account, he could **add a backdoor** to an existing runbook to **maintain persistence** and **exfiltrate data** like tokens every time the runbook is executed. + +### Schedules & Webhooks + +Create or modify an existing Runbook and add a schedule or webhook to it. This will allow an attacker to **maintain persistence even if access over the environment was lost** by executing the backdoor which might be leaking tokens from the MI at specific times or whenever he wants by sending a request to the webhok. + +### Malware inside a VM used in a hybrid worker group + +If a VM is used as a hybrid worker group, an attacker could **install malware** inside the VM to **maintain persistence** and **exfiltrate data** like tokens for the managed identities given to the VM and to the automation account using the VM. + +### Custom environment packages + +If the automation account is using custom packages in custom environments, an attacker could **modify the package** to **maintain persistence** and **exfiltrate data** like tokens. This would also be a stealth persistence method as custom packages uploaded manually are rearely checked for malicious code. + +### Compromise external repos + +If the automation account is using external repos to store the code like Github, an attacker could **compromise the repo** to **maintain persistence** and **exfiltrate data** like tokens. This is specially interesting if the clatest evrsion of the code is automatically synced with the runbook. + + +{{#include ../../../banners/hacktricks-training.md}} + + + diff --git a/src/pentesting-cloud/azure-security/az-services/az-automation-accounts.md b/src/pentesting-cloud/azure-security/az-services/az-automation-accounts.md index fc45d6776..2e013bd5e 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-automation-accounts.md +++ b/src/pentesting-cloud/azure-security/az-services/az-automation-accounts.md @@ -234,6 +234,12 @@ Get-AzAutomationHybridWorkerGroup -AutomationAccountName -R ../az-privilege-escalation/az-automation-accounts-privesc.md {{#endref}} +## Persistence + +{{#ref}} +../az-persistence/az-automation-accounts-persistence.md +{{#endref}} + ## References - [https://learn.microsoft.com/en-us/azure/automation/overview](https://learn.microsoft.com/en-us/azure/automation/overview)