Az - Logic Apps Post Exploitation

Reading time: 5 minutes

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Logic Apps Database Post Exploitation

For more information about logic apps check:

{% content-ref url="../az-services/az-logic-apps.md" %} az-logic-apps.md {% endcontent-ref %}

"Microsoft.Logic/workflows/read", "Microsoft.Logic/workflows/write" && "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action"

With these permissions, you can modify Logic App workflows and manage their identities. Specifically, you can assign or remove system-assigned and user-assigned managed identities to workflows, which allows the Logic App to authenticate and access other Azure resources without explicit credentials.

{% code overflow="wrap" %}

az logic workflow identity remove/assign \
  --name <workflow_name> \
  --resource-group <resource_group_name> \
  --system-assigned true \
  --user-assigned "/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<identity_name>"

{% endcode %}

"Microsoft.Web/sites/read", "Microsoft.Web/sites/write"

With these permissions, you can create or update Logic Apps hosted on an App Service Plan. This includes modifying settings such as enabling or disabling HTTPS enforcement.

{% code overflow="wrap" %}

az logicapp update \
  --resource-group <resource_group_name> \
  --name <logic_app_name> \
  --set httpsOnly=false

{% endcode %}

"Microsoft.Web/sites/stop/action", "Microsoft.Web/sites/start/action" || "Microsoft.Web/sites/restart/action"

With this permission, you can start/stop/restart a web app, including Logic Apps hosted on an App Service Plan. This action ensures that a previously stopped app is brought online and resumes its functionality. This can disrupt workflows, trigger unintended operations, or cause downtime by starting, stopping, or restarting Logic Apps unexpectedly.

{% code overflow="wrap" %}

az webapp start/stop/restart \
  --name <logic_app_name> \
  --resource-group <resource_group_name>

{% endcode %}

"Microsoft.Web/sites/config/list/action", "Microsoft.Web/sites/read" && "Microsoft.Web/sites/config/write"

With this permission, you can configure or modify settings for web apps, including Logic Apps hosted on an App Service Plan. This allows changes to app settings, connection strings, authentication configurations, and more.

{% code overflow="wrap" %}

az logicapp config appsettings set \
  --name <logic_app_name> \
  --resource-group <resource_group_name> \
  --settings "<key>=<value>"

{% endcode %}

"Microsoft.Logic/integrationAccounts/write"

With this permission, you can create, update, or delete Azure Logic Apps integration accounts. This includes managing integration account-level configurations like maps, schemas, partners, agreements, and more.

{% code overflow="wrap" %}

az logic integration-account create \
  --resource-group <resource_group_name> \
  --name <integration_account_name> \
  --location <location> \
  --sku <Standard|Free> \
  --state Enabled

{% endcode %}

"Microsoft.Resources/subscriptions/resourcegroups/read" && "Microsoft.Logic/integrationAccounts/batchConfigurations/write"

With this permission, you can create or modify batch configurations within an Azure Logic Apps integration account. Batch configurations define how Logic Apps process and group incoming messages for batch processing.

{% code overflow="wrap" %}

az logic integration-account batch-configuration create \
  --resource-group <resource_group_name> \
  --integration-account-name <integration_account_name> \
  --name <batch_configuration_name> \
  --release-criteria '{
      "messageCount": 100,
      "batchSize": 1048576,
  }'

{% endcode %}

"Microsoft.Resources/subscriptions/resourcegroups/read" && "Microsoft.Logic/integrationAccounts/maps/write"

With this permission, you can create or modify maps within an Azure Logic Apps integration account. Maps are used to transform data from one format to another, enabling seamless integration between different systems and applications.

{% code overflow="wrap" %}

az logic integration-account map create \
  --resource-group <resource_group_name> \
  --integration-account-name <integration_account_name> \
  --name <map_name> \
  --map-type <Xslt|Xslt20|Xslt30> \
  --content-type application/xml \
  --map-content map-content.xslt

{% endcode %}

"Microsoft.Resources/subscriptions/resourcegroups/read" && "Microsoft.Logic/integrationAccounts/partners/write"

With this permission, you can create or modify partners in an Azure Logic Apps integration account. Partners represent entities or systems that participate in business-to-business (B2B) workflows.

{% code overflow="wrap" %}

az logic integration-account partner create \
  --resource-group <resource_group_name> \
  --integration-account-name <integration_account_name> \
  --name <partner_name> \
  --partner-type <partner-type> \
  --content '{
    "b2b": {
      "businessIdentities": [
        {
          "qualifier": "ZZ",
          "value": "TradingPartner1"
        }
      ]
    }
  }'

{% endcode %}

"Microsoft.Resources/subscriptions/resourcegroups/read" && "Microsoft.Logic/integrationAccounts/sessions/write"

With this permission, you can create or modify sessions within an Azure Logic Apps integration account. Sessions are used in B2B workflows to group messages and track related transactions over a defined period.

{% code overflow="wrap" %}

az logic integration-account session create \
  --resource-group <resource_group_name> \
  --integration-account-name <integration_account_name> \
  --name <session_name> \
  --content '{
    "properties": {
      "sessionId": "session123",
      "data": {
        "key1": "value1",
        "key2": "value2"
      }
    }
  }'

{% endcode %}

"*/delete"

With this permissions you can delete resources related to Azure Logic Apps

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)