Threat Research

“Exploiting Azure Automation Account Packages and Runtime Environments”

Netspi

Azure Automation Accounts now support Runtime Environments for custom PowerShell modules and Python packages, introducing new attack surfaces through potentially malicious packages that can be uploaded to gain persistent access. The article provides PoCs for PowerShell and Python packages, demonstrates how tokens can be exfiltrated via HTTP callbacks, and offers detection and hunting guidance for identifying such threats. #AzureAutomation #RuntimeEnvironments #PowerUpSQL #aws_consoler #NetSPI

Keypoints

  • Azure Automation Accounts now support custom PowerShell modules and Python packages.
  • Runtime Environments replace traditional module management, enabling more flexible execution environments.
  • Attackers can upload malicious packages to Automation Accounts for persistent access.
  • Steps to create and upload malicious packages exist for both PowerShell and Python (PowerUpSQL/aws_consoler-based examples).
  • A tool (Get-AzAutomationCustomModules) is provided to enumerate and review custom modules/packages across a subscription.
  • Detection and hunting guidance includes reviewing custom modules and monitoring for unauthorized package uploads via Azure Activity Logs.

MITRE Techniques

  • [T1003] Credential Dumping – Exfiltration of Managed Identity tokens via HTTP callbacks. ‘Exfiltration of Managed Identity tokens via HTTP callbacks.’
  • [T1195] Supply Chain Compromise – Malicious packages uploaded to Azure Automation Accounts. ‘Malicious packages uploaded to Azure Automation Accounts.’
  • [T1136] Persistence – Using backdoored modules for persistent access to Automation Accounts. ‘Using backdoored modules for persistent access to Automation Accounts.’
  • [T1071] Command and Control – HTTP callbacks to exfiltrate tokens. ‘HTTP callbacks to exfiltrate tokens.’

Indicators of Compromise

  • [URL] Callback endpoints used by the malicious package – YOUR_URL_HERE/, https://YOUR_URL_HERE (2 examples)
  • [Filename] Malicious PowerShell package components – PowerUpSQL.psd1, PowerUpSQL.psm1
  • [Filename] Malicious Python package components – aws_consoler.py, setup.py
  • [Archive] Zipped package file named after the module – PowerUpSQL.zip

Read more: https://www.netspi.com/blog/technical-blog/cloud-pentesting/backdooring-azure-automation-account-packages-and-runtime-environments/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint