H3-2026-0045¶

Hardcoded Credentials in Azure Automation Runbook

Description¶

An Azure Automation runbook contained hardcoded credentials – such as passwords, API keys, connection strings, access tokens, or private keys – embedded directly in the runbook source code. NodeZero downloaded and analyzed the runbook source code (both published and draft versions) and extracted credential material that could be used to access other systems or escalate privileges.

Impact¶

An attacker with read access to the Automation Account can extract embedded credentials from runbook source code and use them to authenticate to other Azure resources, external services, or databases – potentially escalating privileges beyond the automation context.

References¶

• CWE-798: Use of Hard-coded Credentials
• Microsoft Docs: Manage credentials in Azure Automation
• MITRE ATT&CK Technique: T1552.001: Unsecured Credentials: Credentials In Files