Az - Automation Accounts Persistence

Reading time: 2 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Storage Privesc

For more information about Automation Accounts check:

Az - Automation Accounts

If an attacker has access to the automation account, he could add a backdoor to an existing runbook to maintain persistence and exfiltrate data like tokens every time the runbook is executed.

### Schedules & Webhooks

Create or modify an existing Runbook and add a schedule or webhook to it. This will allow an attacker to maintain persistence even if access over the environment was lost by executing the backdoor which might be leaking tokens from the MI at specific times or whenever he wants by sending a request to the webhok.

Malware inside a VM used in a hybrid worker group

If a VM is used as a hybrid worker group, an attacker could install malware inside the VM to maintain persistence and exfiltrate data like tokens for the managed identities given to the VM and to the automation account using the VM.

Custom environment packages

If the automation account is using custom packages in custom environments, an attacker could modify the package to maintain persistence and exfiltrate data like tokens. This would also be a stealth persistence method as custom packages uploaded manually are rearely checked for malicious code.

Compromise external repos

If the automation account is using external repos to store the code like Github, an attacker could compromise the repo to maintain persistence and exfiltrate data like tokens. This is specially interesting if the clatest evrsion of the code is automatically synced with the runbook.

tip