Keypoints
- Azure Site Recovery (ASR) enables an Automation Account with a System-Assigned Managed Identity to manage Site Recovery extensions when Extension Update Settings are enabled.
- The ASR-created Runbook is hidden, but its Job output remains visible in the Automation Account Jobs tab and JSON view.
- Job output contained a cleartext management-scoped Access Token (truncated in Portal view) for the System-Assigned Managed Identity that holds the Contributor role on the subscription.
- Any low-privileged role with Microsoft.Automation/automationAccounts/jobs/output/read (e.g., Reader, Log Analytics Reader) can retrieve the full token via Az PowerShell and authenticate as the managed identity.
- Using the stolen token and the Enterprise Application ID, an attacker can Connect-AzAccount and gain Contributor privileges across the subscription, enabling actions like Run Command as SYSTEM on VMs.
- Microsoft remediated the issue for new and existing ASR deployments as of 2024-02-13.
MITRE Techniques
- [T1552] Unsecured Credentials – The Job output disclosed a cleartext token accessible to low-privilege roles. (‘Both Jobs contained output with a cleartext Access Token being truncated.’)
- [T1550] Use Alternate Authentication Material – The stolen access token is reused to authenticate as the managed identity. (‘With the Access Token and Enterprise Application ID, the low-privileged user (blogReader) can authenticate as the System-Assigned Managed Identity which has the Contributor role on the entire subscription.’)
- [T1068] Exploitation for Privilege Escalation – A lower-privileged user can escalate to Contributor by reading the token. (‘a lower-privileged user role could read this Access Token and authenticate as the Managed Identity, elevating their privileges to a Contributor over the entire subscription’)
- [T1543] Create or Modify System Process – ASR creates an Automation Account and a System-Assigned Managed Identity used to manage updates. (‘the Extension Update Setting … creates a new Automation Account … which is used to manage the Site Recovery extensions’ and the System-Assigned Managed Identity gets created with the Automation Account’)
- [T1059] Command and Scripting Interpreter – With elevated Contributor privileges an attacker can run commands on VMs (Run Command) as NT AuthoritySYSTEM. (‘Invoke-AzVMRunCommand … Message : nt authoritysystem’)
- [T1036] Masquerading – Using the managed identity token lets an attacker appear as legitimate ASR service actions. (‘authenticate as the Managed Identity, which has the Contributor role on the entire subscription’)
- [T1496] Resource Hijacking – Contributor access enables abuse of subscription resources for malicious purposes. (‘hijack Azure resources for malicious purposes, such as deploying cryptocurrency miners or launching further attacks.’)
Indicators of Compromise
- [Automation Account] ASR-created Automation Account name used in examples – blogASR-c99-asr-automationaccount
- [Job/Runbook names] Visible Job entries that contained token output – MS-SR-Update-MobilityServiceForA2AVirtualMachines, MS-ASR-Modify-AutoUpdateForA2AVirtualMachines
- [Access Token sample] Truncated access token shown in Job output – ‘eyJ0eXAi[REDACTED]’ (used to Connect-AzAccount and authenticate as the managed identity)
- [Enterprise/Application IDs] IDs associated with the managed identity and authentication – example AccountId ee7f506d-65d4-492f-acb1-0ddb8e0d29cd and ObjectId cd459283-0d93-47fd-a614-c9280b2634ef
- [Resource Groups] Automation Account resource group referenced in retrieval commands – blogRG2 (job output retrieved with AutomationAccountName, Job ID, and ResourceGroupName)
The technical exploit begins when ASR’s Extension Update Settings create an Automation Account and a System-Assigned Managed Identity that holds Contributor over the subscription. Although the Runbook itself is hidden, its Jobs and JSON output remain readable; those Job outputs included a management-scoped access token in cleartext (visibly truncated in the Portal). A principal with Microsoft.Automation/automationAccounts/jobs/output/read — for example, Reader or Log Analytics Reader — can enumerate the Automation Account Jobs, note the Job ID and AutomationAccountName, and retrieve the full output.
Using Az PowerShell (Get-AzAutomationJobOutput -AutomationAccountName -Id -ResourceGroupName -Stream “Any” | Get-AzAutomationJobOutputRecord) a low-privileged user can extract the access_token value (e.g., ‘eyJ0eXAi[REDACTED]’) and then perform Connect-AzAccount -AccessToken -AccountId . Once authenticated as the System-Assigned Managed Identity, an attacker inherits its Contributor role across the subscription; from there they can run commands on VMs, modify resources, and perform further lateral movement or persistence activities.
Key remediation noted: Microsoft implemented a fix for new and existing ASR deployments on 2024-02-13 to prevent disclosure of the token via Job outputs. Mitigation for affected tenants included reviewing Automation Account outputs, limiting read access to automation job outputs, and rotating any exposed credentials or service principals.