services / Azure / Automation DSC agent registration information
DSC agent registration information for an Azure Automation account contains the registration endpoint URL and the primary/secondary registration keys that machines use to enroll as DSC pull-mode managed nodes.
The registration keys are credential material: holding them lets an attacker onboard arbitrary/rogue nodes and pull or push desired-state configurations to managed machines, so this resource is treated as CRITICAL.
Microsoft.Automation/automationAccounts/agentRegistrationInformation/regenerateKey/action
Regenerating the registration key returns fresh usable key material to the caller (credential exfiltration enabling rogue node onboarding/lateral access) while invalidating the prior key, denying legitimately enrolled nodes the ability to register.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security