HackTricks CloudAz - Automation Accounts
Reading time: 12 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Basic Information
Azure Automation Accounts ni huduma za msingi za wingu katika Microsoft Azure ambazo husaidia kujiendesha kazi kama usimamizi wa rasilimali, usanidi, na masasisho katika Azure na mazingira ya ndani. Zinatoa Runbooks (script za kujiendesha ambazo zinafanywa), ratiba, na vikundi vya wafanyakazi wa mseto ili kuendesha kazi za kujiendesha, kuwezesha miundombinu kama msimbo (IaC) na kujiendesha kwa mchakato kwa ufanisi na uthabiti katika usimamizi wa rasilimali za wingu.
Settings
- Credentials: Nenosiri linaweza kupatikana tu ndani ya runbook ndani ya akaunti ya kujiendesha, zinatumika kuhifadhi majina ya watumiaji na nenosiri kwa usalama.
- Variables: Zinatumika kuhifadhi data za usanidi ambazo zinaweza kutumika katika runbooks. Hii inaweza pia kuwa habari nyeti kama funguo za API. Ikiwa variable ime hifadhiwa kwa usimbuaji, inapatikana tu ndani ya runbook ndani ya akaunti ya kujiendesha.
- Certificates: Zinatumika kuhifadhi vyeti ambavyo vinaweza kutumika katika runbooks.
- Connections: Zinatumika kuhifadhi habari za muunganisho na huduma za nje. Hii inaweza kuwa na habari nyeti.
- Network Access: Inaweza kuwekwa kuwa ya umma au ya kibinafsi.
Runbooks & Jobs
Runbook katika Azure Automation ni script inayofanya kazi kiotomatiki ndani ya mazingira yako ya wingu. Runbooks zinaweza kuandikwa kwa PowerShell, Python, au wahariri wa picha. Zinasaidia kujiendesha kazi za kiutawala kama usimamizi wa VM, urekebishaji, au ukaguzi wa kufuata.
Katika msimbo ulio ndani ya Runbooks unaweza kuwa na habari nyeti (kama vile creds).
Job ni mfano wa utekelezaji wa Runbook. Unapokimbia Runbook, Job inaundwa kufuatilia utekelezaji huo. Kila kazi inajumuisha:
- Status: Imeorodheshwa, Inaendesha, Imekamilika, Imeanguka, Imefungwa.
- Output: Matokeo ya utekelezaji wa Runbook.
- Start and End Time: Wakati kazi ilianza na kukamilika.
Kazi ina matokeo ya utekelezaji wa Runbook. Ikiwa unaweza kusoma kazi, fanya hivyo kwani zina matokeo ya kukimbia (habari nyeti zinazoweza kuwa).
Schedules & Webhooks
Kuna njia 3 kuu za kutekeleza Runbook:
- Schedules: Hizi zinatumika kuanzisha Runbooks kwa wakati maalum au kipindi.
- Webhooks: Hizi ni nukta za HTTP ambazo zinaweza kutumika kuanzisha Runbooks kutoka huduma za nje. Kumbuka kwamba URL ya webhook haiwezi kuonekana baada ya kuundwa.
- Manual Trigger: Unaweza kuanzisha kwa mikono Runbook kutoka kwenye Azure Portal na kutoka kwa cli.
Source Control
Inaruhusu kuagiza Runbooks kutoka Github, Azure Devops (Git) na Azure Devops (TFVC). Inawezekana kuashiria kuchapisha Runbooks za repo kwenye akaunti ya Azure Automation na pia inawezekana kuashiria kuunganisha mabadiliko kutoka repo hadi akaunti ya Azure Automation.
Wakati kuunganisha kunapoanzishwa, katika github repository webhook inaundwa ili kuanzisha kuunganisha kila wakati tukio la push linapotokea. Mfano wa URL ya webhook: https://f931b47b-18c8-45a2-9d6d-0211545d8c02.webhook.eus.azure-automation.net/webhooks?token=DRjQyFiOrUtz%2fw7o23XbDpOlTe1%2bUqPQm4pQH2WBfJg%3d
Kumbuka kwamba hizi webhooks hazitaonekana unapoorodhesha webhooks katika runbooks zinazohusishwa na repo ya Github. Pia kumbuka kwamba siwezi kubadilisha URL ya repo ya udhibiti wa chanzo mara tu inapoandikwa.
Ili udhibiti wa chanzo uliowekwa ufanye kazi, Azure Automation Account inahitaji kuwa na utambulisho wa kusimamia (mfumo au mtumiaji) wenye jukumu la Contributor. Aidha, ili kupeana utambulisho wa mtumiaji wa kusimamia kwa Akaunti ya Kujiendesha, inahitajika kuashiria ID ya mteja wa MI ya mtumiaji katika variable AUTOMATION_SC_USER_ASSIGNED_IDENTITY_ID.
Runtime Environments
Unapounda Runbook inawezekana kuchagua mazingira ya utekelezaji. Kwa kawaida, mazingira yafuatayo yanapatikana:
- Powershell 5.1
- Powershell 7.1
- PowerShell 7.2
- Python 3.10
- Python 3.8
- Python 2.7
Hata hivyo, pia inawezekana kuunda mazingira yako mwenyewe, ukitumia moja ya hizi kama msingi. Katika kesi ya python, inawezekana kupakia pakiti za .whl kwenye mazingira ambayo yatatumika. Katika kesi ya PowerShell, inawezekana kupakia pakiti za .zip zenye moduli za kuwa nazo katika utekelezaji.
Hybrid Worker Groups
Katika Azure Automation, mazingira ya kawaida ya utekelezaji wa runbooks ni Azure Sandbox, jukwaa la wingu linalosimamiwa na Azure, linalofaa kwa kazi zinazohusisha rasilimali za Azure. Hata hivyo, sandbox hii ina mipaka, kama vile upatikanaji wa rasilimali za ndani na vizuizi juu ya muda wa utekelezaji na matumizi ya rasilimali. Ili kushinda mipaka hii, Vikundi vya Wafanyakazi wa Mseto vinatumika. Kikundi cha Wafanyakazi wa Mseto kinajumuisha mfanyakazi mmoja au zaidi wa Runbook wa Mseto waliowekwa kwenye mashine zako, iwe ndani, katika mazingira mengine ya wingu au Azure VMs. Mpangilio huu unaruhusu runbooks kuendesha moja kwa moja kwenye mashine hizi, ukitoa upatikanaji wa moja kwa moja kwa rasilimali za ndani, uwezo wa kuendesha kazi ndefu na zenye matumizi makubwa ya rasilimali, na kubadilika kuingiliana na mazingira zaidi ya ufikiaji wa moja kwa moja wa Azure.
Wakati kikundi cha mfanyakazi wa mseto kinaundwa inahitajika kuashiria credentials za kutumia. Kuna chaguzi 2:
- Default credentials: Huhitaji kutoa credentials na runbooks zitaendesha ndani ya VMs kama Mfumo.
- Specific credentials: Unahitaji kutoa jina la kitu cha credentials ndani ya akaunti ya kujiendesha, ambacho kitatumika kuendesha runbooks ndani ya VMs. Kwa hivyo, katika kesi hii, inaweza kuwa na uwezekano wa kuiba credentials halali za VMs.
Kwa hivyo, ikiwa unaweza kuchagua kuendesha Runbook katika Mfanyakazi wa Mseto, utaendesha amri zisizo na mipaka ndani ya mashine ya nje kama Mfumo (mbinu nzuri ya pivot).
Zaidi ya hayo, ikiwa mfanyakazi wa mseto anafanya kazi katika Azure na Utambulisho mwingine wa Kusimamia umeunganishwa, runbook itakuwa na uwezo wa kufikia utambulisho wa kusimamia wa runbook na utambulisho wote wa kusimamia wa VM kutoka kwa huduma ya metadata.
tip
Kumbuka kwamba huduma ya metadata ina URL tofauti (http://169.254.169.254) kuliko huduma ambayo inapata token ya utambulisho wa akaunti ya kujiendesha (IDENTITY_ENDPOINT).
State Configuration (SC)
warning
Kama ilivyoonyeshwa katika the docs, Azure Automation State Configuration itastaafu tarehe 30 Septemba 2027 na kubadilishwa na Azure Machine Configuration.
Akaunti za Kujiendesha pia zinasaidia State Configuration (SC), ambayo ni kipengele kinachosaidia kuunda na kuhifadhi hali ya VMs zako. Inawezekana kuunda na kutumia usanidi wa DSC kwa Windows na Linux mashine.
Kutoka kwa mtazamo wa washambuliaji hii ilikuwa ya kuvutia kwa sababu iliruhusu kuendesha PS code zisizo na mipaka katika VMs zote zilizowekwa ikiruhusu kupandisha mamlaka kwa utambulisho wa kusimamia wa VMs hizi, kwa uwezekano wa pivoting kwa mitandao mipya... Pia, usanidi unaweza kuwa na habari nyeti.
Enumeration
# List Automation Accounts
az automation account list --output table
# Get Automation Account details
# Check the network access in `privateEndpointConnections` and `publicNetworkAccess`
# Check the managed identities in `identity`
az automation account show --name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
# Get keys of automation account
## These are used for the DSC
az automation account list-keys --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
# Get schedules of automation account
az automation schedule list --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
# Get connections of automation account
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/connections?api-version=2023-11-01"
# Get connection details
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/connections/<connection-name>?api-version=2023-11-01"
# Get credentials of automation account
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/credentials?api-version=2023-11-01"
# Get credential details
## Note that you will only be able to access the password from inside a Runbook
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/credentials/<credential-name>?api-version=2023-11-01"
# Get certificates of automation account
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/certificates?api-version=2023-11-01"
# Get certificate details
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/certificates/<certificate-name>?api-version=2023-11-01"
# Get variables of automation account
## It's possible to get the value of unencrypted variables but not the encrypted ones
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/variables?api-version=2023-11-01"
# Get variable details
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/variables/<variable-name>?api-version=2023-11-01"
# Get runbooks of an automation account
az automation runbook list --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
# Get runbook details
az automation runbook show --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME> --name <RUNBOOK-NAME>
# Get runbook content
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/runbooks/<runbook-name>/content?api-version=2023-11-01"
# Get jobs of an automation account
az automation job list --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
# Get job details
az automation job show --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME> --name <JOB-NAME>
# Get job output
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/jobs/<job-name>/output?api-version=2023-11-01"
# Get the Runbook content when the job was executed
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/jobs/<job-name>/runbookContent?api-version=2023-11-01"
# Get webhooks inside an automation account
## It's possible to see to which runbook it belongs in the given data
## For security reasons it's not possible to see the URL of the webhook after creating it, here is a URL example: https://f931b47b-18c8-45a2-9d6d-0211545d8c02.webhook.eus.azure-automation.net/webhooks?token=dOdnxk6z7ugAxiuyUMKgPuDMav2Jw5EJediMdiN4jLo%3d
## Generating a webhook can be useful from a persistence perspective
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/webhooks?api-version=2018-06-30"
# Get the source control setting of an automation account (if any)
## inside the output it's possible to see if the autoSync is enabled, if the publishRunbook is enabled and the repo URL
az automation source-control list --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
# Get custom runtime environments
## Check in defaultPackages for custom ones, by default Python envs won't have anything here and PS1 envs will have "az" and "azure cli"
az automation runtime-environment list \
--resource-group <res-group>> \
--automation-account-name <account-name> \
--query "[?!(starts_with(description, 'System-generated'))]"
# Get State Configurations (SC) of an automation account
az automation dsc configuration list --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
# Get State Configuration details
az automation dsc configuration show --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME> --name <DSC-CONFIG-NAME>
# Get State Configuration content
az automation dsc configuration show-content --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME> --name <DSC-CONFIG-NAME>
# Get hybrid worker groups for an automation account
az automation hrwg list --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
# Get hybrid worker group details
az automation hrwg show --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME> --name <HYBRID-WORKER-GROUP>
# Get more details about a hybrid worker group (like VMs inside it)
az rest --method GET --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/hybridRunbookWorkerGroups/<hybrid-worker-group-name>/hybridRunbookWorkers?&api-version=2021-06-22"
# Check user right for automation
az extension add --upgrade -n automation
az automation account list # if it doesn't return anything the user is not a part of an Automation group
# Gets Azure Automation accounts in a resource group
Get-AzAutomationAccount
# List & get DSC configs
Get-AzAutomationAccount | Get-AzAutomationDscConfiguration
Get-AzAutomationAccount | Get-AzAutomationDscConfiguration | where {$_.name -match '<name>'} | Export-AzAutomationDscConfiguration -OutputFolder . -Debug
## Automation Accounts named SecurityBaselineConfigurationWS... are there by default (not interesting)
# List & get Run books code
Get-AzAutomationAccount | Get-AzAutomationRunbook
Get-AzAutomationAccount | Get-AzAutomationRunbook | Export-AzAutomationRunbook -OutputFolder /tmp
# List credentials & variables & others
Get-AzAutomationAccount | Get-AzAutomationCredential
Get-AzAutomationAccount | Get-AzAutomationVariable
Get-AzAutomationAccount | Get-AzAutomationConnection
Get-AzAutomationAccount | Get-AzAutomationCertificate
Get-AzAutomationAccount | Get-AzAutomationSchedule
Get-AzAutomationAccount | Get-AzAutomationModule
Get-AzAutomationAccount | Get-AzAutomationPython3Package
## Exfiltrate credentials & variables and the other info loading them in a Runbook and printing them
# List hybrid workers
Get-AzAutomationHybridWorkerGroup -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME>
Kuinua Mamlaka & Baada ya Kutekeleza
Az - Automation Accounts Privesc
Marejeo
- https://learn.microsoft.com/en-us/azure/automation/overview
- https://learn.microsoft.com/en-us/azure/automation/automation-dsc-overview
- https://github.com/rootsecdev/Azure-Red-Team#runbook-automation
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.