services / Azure / Azure Automation Account
An Azure Automation account is the top-level container for runbooks, schedules, assets (variables, credentials, certificates), DSC/hybrid-worker registration, and an optional managed/Run As identity used to execute automation across the subscription.
The account's managed/Run As identity often holds broad subscription roles, and the account holds runbook code and secret assets, making it a high-value automation control point.
Microsoft.Automation/automationAccounts/listKeys/action
Returns the account's primary/secondary registration keys (credential material used to enroll DSC nodes and hybrid runbook workers); an attacker can register a rogue worker and execute code under the account, so this is cryptographic exfiltration enabling lateral movement.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security