gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-27 13:13:06 -08:00
Code Issues Packages Projects Releases Wiki Activity

aa persistence

Browse Source
This commit is contained in:
Carlos Polop
2025-02-17 18:08:59 +01:00
parent baa1c7240d
commit 0d9b4e5917
2 changed files with 44 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
src/pentesting-cloud/azure-security/az-persistence/az-automation-accounts-persistence.md Normal file
View File

@@ -0,0 +1,38 @@
# Az - Automation Accounts Persistence
{{#include ../../../banners/hacktricks-training.md}}
## Storage Privesc
For more information about Automation Accounts check:
{{#ref}}
../az-services/az-automation-account.md
{{#endref}}
### Backdoor existing runbook
If an attacker has access to the automation account, he could **add a backdoor** to an existing runbook to **maintain persistence** and **exfiltrate data** like tokens every time the runbook is executed.
### Schedules & Webhooks
Create or modify an existing Runbook and add a schedule or webhook to it. This will allow an attacker to **maintain persistence even if access over the environment was lost** by executing the backdoor which might be leaking tokens from the MI at specific times or whenever he wants by sending a request to the webhok.
### Malware inside a VM used in a hybrid worker group
If a VM is used as a hybrid worker group, an attacker could **install malware** inside the VM to **maintain persistence** and **exfiltrate data** like tokens for the managed identities given to the VM and to the automation account using the VM.
### Custom environment packages
If the automation account is using custom packages in custom environments, an attacker could **modify the package** to **maintain persistence** and **exfiltrate data** like tokens. This would also be a stealth persistence method as custom packages uploaded manually are rearely checked for malicious code.
### Compromise external repos
If the automation account is using external repos to store the code like Github, an attacker could **compromise the repo** to **maintain persistence** and **exfiltrate data** like tokens. This is specially interesting if the clatest evrsion of the code is automatically synced with the runbook.
{{#include ../../../banners/hacktricks-training.md}}

6
src/pentesting-cloud/azure-security/az-services/az-automation-accounts.md
View File

@@ -234,6 +234,12 @@ Get-AzAutomationHybridWorkerGroup -AutomationAccountName <AUTOMATION-ACCOUNT> -R
../az-privilege-escalation/az-automation-accounts-privesc.md
{{#endref}}
## Persistence
{{#ref}}
../az-persistence/az-automation-accounts-persistence.md
{{#endref}}
## References
- [https://learn.microsoft.com/en-us/azure/automation/overview](https://learn.microsoft.com/en-us/azure/automation/overview)