Az - Logic Apps Post Exploitation

Reading time: 5 minutes

Logic Apps Database Post Exploitation

For more information about logic apps check:

Az - Logic Apps

Microsoft.Logic/workflows/read, Microsoft.Logic/workflows/write && Microsoft.ManagedIdentity/userAssignedIdentities/assign/action

With these permissions, you can modify Logic App workflows and manage their identities. Specifically, you can assign or remove system-assigned and user-assigned managed identities to workflows, which allows the Logic App to authenticate and access other Azure resources without explicit credentials.

az logic workflow identity remove/assign \
  --name <workflow_name> \
  --resource-group <resource_group_name> \
  --system-assigned true \
  --user-assigned "/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<identity_name>"

Microsoft.Web/sites/read, Microsoft.Web/sites/write

With these permissions, you can create or update Logic Apps hosted on an App Service Plan. This includes modifying settings such as enabling or disabling HTTPS enforcement.

az logicapp update \
  --resource-group <resource_group_name> \
  --name <logic_app_name> \
  --set httpsOnly=false

Microsoft.Web/sites/stop/action, Microsoft.Web/sites/start/action || Microsoft.Web/sites/restart/action

With this permission, you can start/stop/restart a web app, including Logic Apps hosted on an App Service Plan. This action ensures that a previously stopped app is brought online and resumes its functionality. This can disrupt workflows, trigger unintended operations, or cause downtime by starting, stopping, or restarting Logic Apps unexpectedly.

az webapp start/stop/restart \
  --name <logic_app_name> \
  --resource-group <resource_group_name>

Microsoft.Web/sites/config/list/action, Microsoft.Web/sites/read && Microsoft.Web/sites/config/write

With this permission, you can configure or modify settings for web apps, including Logic Apps hosted on an App Service Plan. This allows changes to app settings, connection strings, authentication configurations, and more.

az logicapp config appsettings set \
  --name <logic_app_name> \
  --resource-group <resource_group_name> \
  --settings "<key>=<value>"

Microsoft.Logic/integrationAccounts/write

With this permission, you can create, update, or delete Azure Logic Apps integration accounts. This includes managing integration account-level configurations like maps, schemas, partners, agreements, and more.

az logic integration-account create \
  --resource-group <resource_group_name> \
  --name <integration_account_name> \
  --location <location> \
  --sku <Standard|Free> \
  --state Enabled

Microsoft.Resources/subscriptions/resourcegroups/read && Microsoft.Logic/integrationAccounts/batchConfigurations/write

With this permission, you can create or modify batch configurations within an Azure Logic Apps integration account. Batch configurations define how Logic Apps process and group incoming messages for batch processing.

az logic integration-account batch-configuration create \
  --resource-group <resource_group_name> \
  --integration-account-name <integration_account_name> \
  --name <batch_configuration_name> \
  --release-criteria '{
      "messageCount": 100,
      "batchSize": 1048576,
  }'

Microsoft.Resources/subscriptions/resourcegroups/read && Microsoft.Logic/integrationAccounts/maps/write

With this permission, you can create or modify maps within an Azure Logic Apps integration account. Maps are used to transform data from one format to another, enabling seamless integration between different systems and applications.

az logic integration-account map create \
  --resource-group <resource_group_name> \
  --integration-account-name <integration_account_name> \
  --name <map_name> \
  --map-type <Xslt|Xslt20|Xslt30> \
  --content-type application/xml \
  --map-content map-content.xslt

Microsoft.Resources/subscriptions/resourcegroups/read && Microsoft.Logic/integrationAccounts/partners/write

With this permission, you can create or modify partners in an Azure Logic Apps integration account. Partners represent entities or systems that participate in business-to-business (B2B) workflows.

az logic integration-account partner create \
  --resource-group <resource_group_name> \
  --integration-account-name <integration_account_name> \
  --name <partner_name> \
  --partner-type <partner-type> \
  --content '{
    "b2b": {
      "businessIdentities": [
        {
          "qualifier": "ZZ",
          "value": "TradingPartner1"
        }
      ]
    }
  }'

Microsoft.Resources/subscriptions/resourcegroups/read && Microsoft.Logic/integrationAccounts/sessions/write

With this permission, you can create or modify sessions within an Azure Logic Apps integration account. Sessions are used in B2B workflows to group messages and track related transactions over a defined period.

az logic integration-account session create \
  --resource-group <resource_group_name> \
  --integration-account-name <integration_account_name> \
  --name <session_name> \
  --content '{
    "properties": {
      "sessionId": "session123",
      "data": {
        "key1": "value1",
        "key2": "value2"
      }
    }
  }'

"*/delete"

With this permissions you can delete resources related to Azure Logic Apps