auto acc

Author: carlospolop

src/pentesting-cloud/azure-security/az-privilege-escalation/az-automation-accounts-privesc.md

@@ -10,7 +10,7 @@ Fore more information check:
 ../az-services/az-automation-accounts.md
 {{#endref}}
 
-### Hybrid Workers
+### Hybrid Workers Group
 
 Remember that if somehow an attacker can execute an arbitrary runbook (arbitrary code) in a hybrid worker, he will **pivot to the location of the VM**. This could be an on-premise machine, a VPC of a different cloud or even an Azure VM.
 
@@ -66,7 +66,7 @@ az rest --method GET \
   --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/jobs/<job-name>/output?api-version=2023-11-01"
 ```
 
-If there aren't Runbooks created, or ou want to create a new one, you will need the **permissions `Microsoft.Resources/subscriptions/resourcegroups/read` and `Microsoft.Automation/automationAccounts/runbooks/write`** to do it using:
+If there aren't Runbooks created, or you want to create a new one, you will need the **permissions `Microsoft.Resources/subscriptions/resourcegroups/read` and `Microsoft.Automation/automationAccounts/runbooks/write`** to do it using:
 
 ```bash
 az automation runbook create --automation-account-name <account-name> --resource-group <res-group> --name <runbook-name> --type PowerShell

src/pentesting-cloud/azure-security/az-services/az-automation-accounts.md

@@ -14,14 +14,12 @@ Azure Automation Accounts are cloud-based services in Microsoft Azure that help
 - **Connections**: Used to store **connection information** to external services. This could contain **sensitive information**.
 - **Network Access**: It can be set to **public** or **private**.
 
-## Runbooks & Jobs
+### Runbooks & Jobs
 
 A Runbook in Azure Automation is a **script that performs tasks automatically** within your cloud environment. Runbooks can be written in PowerShell, Python, or Graphical editors. They help automate administrative tasks like VM management, patching, or compliance checks.
 
 In the **code** located inside **Runbooks** could contains **sensitive info** (such as creds).
 
-Go to `Automation Accounts` --> `<Select Automation Account>` --> `Runbooks/Jobs/Hybrid worker groups/Watcher tasks/credentials/variables/certificates/connections`
-
 A **Job is an instance of a Runbook execution**. When you run a Runbook, a Job is created to track that execution. Each job includes:
 
 - **Status**: Queued, Running, Completed, Failed, Suspended.
@@ -42,15 +40,15 @@ There are 3 main ways to execute a Runbook:
 
 It allows to import Runbooks from **Github, Azure Devops (Git) and Azure Devops (TFVC)**. It's possible to indicate it to publish the Runbooks of the repo to Azure Automation account and it's also possible to indicate to **sync the changes from the repo** to the Azure Automation account.
 
-When the sync is enabled, in the **Github repository a webhook is created** to trigger the sync everytime a push event ocurs. Example of a webhook URL: `https://f931b47b-18c8-45a2-9d6d-0211545d8c02.webhook.eus.azure-automation.net/webhooks?token=DRjQyFiOrUtz%2fw7o23XbDpOlTe1%2bUqPQm4pQH2WBfJg%3d`
+When the sync is enabled, in the **Github repository a webhook is created** to trigger the sync every time a push event occurs. Example of a webhook URL: `https://f931b47b-18c8-45a2-9d6d-0211545d8c02.webhook.eus.azure-automation.net/webhooks?token=DRjQyFiOrUtz%2fw7o23XbDpOlTe1%2bUqPQm4pQH2WBfJg%3d`
 
 Note that these webhooks **won't be visible** when listing webhooks in the associated runbooks to the Github repo. Also note that it's **not possible to change the repo URL** of a source control once it's created.
 
-In order for the configured source control to work, the **Azure Automation Account** needs to have a managed identity (system or user) with the **`Contributor`** role. Moreover, to assing a user managed identity to the Automation Account, it's needed to indicate the client ID of the user MI in the variable **`AUTOMATION_SC_USER_ASSIGNED_IDENTITY_ID`**.
+In order for the configured source control to work, the **Azure Automation Account** needs to have a managed identity (system or user) with the **`Contributor`** role. Moreover, to assign a user managed identity to the Automation Account, it's needed to indicate the client ID of the user MI in the variable **`AUTOMATION_SC_USER_ASSIGNED_IDENTITY_ID`**.
 
 ### Runtime Environments
 
-When creating a Runbook it'spossible to select the runtime environment. By default, the following runtime environments are available:
+When creating a Runbook it's possible to select the runtime environment. By default, the following runtime environments are available:
 
 - **Powershell 5.1**
 - **Powershell 7.1**
@@ -71,7 +69,7 @@ When a hybrid worker group is created it's needed to indicate the **credentials*
 - **Default credentials**: You don't need to provide the credentials and the runbooks will be executed inside the VMs as **System**.
 - **Specific credentials**: You need to provide the name of the credentials object inside the automation account, which will be used to execute the **runbooks inside the VMs**. Therefore, in this case, it could be possible to **steal valid credentials** for the VMs.
 
-Therefore, if you can choose to run a **Runbook** in a **Windows Hybrid Worker**, you will execute **arbitrary commands** inside an external machine as **System** (nice pivot technique).
+Therefore, if you can choose to run a **Runbook** in a **Hybrid Worker**, you will execute **arbitrary commands** inside an external machine as **System** (nice pivot technique).
 
 Moreover, if the hybrid worker is running in Azure with other Managed Identities attached, the runbook will be able to access the **managed identity of the runbook and all the managed identities of the VM from the metadata service**.
 
@@ -173,7 +171,7 @@ az rest --method GET \
 
 # Get the source control setting of an automation account (if any)
 ## inside the output it's possible to see if the autoSync is enabled, if the publishRunbook is enabled and the repo URL
-aaz automation source-control list --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
+az automation source-control list --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
 
 # Get custom runtime environments
 ## Check in defaultPackages for custom ones, by default Python envs won't have anything here and PS1 envs will have "az" and "azure cli"