AZContributor

​

Abuse Info

• Key Vault: You can read secrets and alter access policies (grant yourself access to read secrets)
• Automation Account: You can create a new runbook that runs as the Automation Account, and edit existing runbooks. Runbooks can be used to authenticate as the Automation Account and abuse privileges held by the Automation Account. If the Automation Account is using a ‘RunAs’ account, you can gather the certificate used to login and impersonate that account.
• Virtual Machine: Run SYSTEM commands on the VM

​

Opsec Considerations

​

References

• https://blog.netspi.com/maintaining-azure-persistence-via-automation-accounts/
• https://blog.netspi.com/azure-automation-accounts-key-stores/
• https://blog.netspi.com/get-azurepasswords/
• https://blog.netspi.com/attacking-azure-cloud-shell/