Keypoints
- Azure Batch provides scalable pools of worker nodes for executing jobs and tasks, integrating closely with Azure Storage for resource files.
- Resource files for pool start tasks can generate Storage Account SAS tokens automatically, which are exposed in Batch account configuration.
- Principals with Reader access to a Batch account can view job outputs, start-task resource URLs, and generated SAS tokens (default 7-day expiry).
- Principals with Contributor access can create/modify pools, jobs, and tasks to run code on nodes, generate Managed Identity tokens, and retrieve Batch access keys for persistence.
- Managed Identity tokens can be obtained from the instance metadata service (IMDS) on Batch nodes via requests to 169.254.169.254, similar to VMs/VMSS.
- Certificates configured for pools (being deprecated) can be exported from nodes by converting to PFX/Base64, enabling extraction of App Registration credentials or other secrets.
- The MicroBurst Get-AzBatchAccountData function automates collection of pools, jobs, environment variables, resource file URLs, and (with Contributor) Batch keys.
MITRE Techniques
- [T1078] Valid Accounts – Attackers use legitimate Reader/Contributor privileges on Batch accounts to access configuration and artifacts (‘Attackers with Reader access to Batch can read sensitive data from job outputs and gain access to SAS tokens for Storage Account files attached to the jobs’).
- [T1134] Access Token Manipulation – Generating Managed Identity tokens by querying the instance metadata service on Batch nodes to obtain OAuth tokens (‘make a call to the IMDS service… http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/’).
- [T1552] Unsecured Credentials – Sensitive data and secrets exposed via environment variables and start-task settings on pools/tasks (‘sensitive information passed into cloud services … via environmental variables’).
- [T1567] Exfiltration Over Web Service – Using SAS tokens with Read/List permissions to download container files from Storage Accounts (‘These SAS tokens are configured with Read and List permissions for the container, so an attacker … would have the ability to read all of the files in the Storage Account Container’).
- [T1005] Data from Local System – Exporting certificates from batch nodes by exporting PFX and converting to Base64 allows extracting private keys and secrets from node local stores (‘Export-PfxCertificate … [Convert]::ToBase64String([IO.File]::ReadAllBytes(…))’).
Indicators of Compromise
- [IP Address] IMDS endpoint used to obtain tokens – 169.254.169.254 (instance metadata service for Managed Identity token requests)
- [File / Script] automation and extraction artifacts – Get-AzBatchAccountData.ps1 (MicroBurst function), testCertificate.pfx (exported certificate filename)
- [URL / Repo] tooling and resources – https://github.com/NetSPI/MicroBurst/tree/master/Misc/Shortcuts (MicroBurst shortcuts), https://www.netspi.com/blog/technical/cloud-penetration-testing/extracting-sensitive-information-from-azure-batch-service/ (original post)
- [Secrets / Tokens] storage access artifacts – Storage SAS URLs (container Read/List SAS tokens generated for start-task resource files)
Azure Batch pools are configured with resource files, start-task commands, environment variables, user-assigned managed identities, application packages, and optional certificates; resource files can auto-generate Storage SAS URLs for blobs/containers which are stored in the Batch configuration and readable by anyone with Reader access to the Batch account. Because these SAS tokens commonly grant Read/List to a container and default to seven-day lifetimes, a principal who can view Batch settings can list and download container contents for that timeframe. Start-task environment variables frequently contain secrets as well, so enumerating pool and job environment settings is a high-yield step for discovery.
With Contributor privileges, an operator can create or modify pools/jobs/tasks to execute code on nodes and leverage assigned User-Assigned Managed Identities; from within a task or by RDP/SSH to a node, the instance metadata service can be queried to obtain access tokens (example IMDS request: http://169.254.169.254/metadata/identity/oauth2/token?…). Attackers can also retrieve Batch account primary/secondary keys to trigger jobs and maintain execution persistence. For certificate extraction (legacy/deprecated feature), certificates in CurrentUser/LocalMachine stores can be exported to PFX and converted to Base64 using PowerShell (Export-PfxCertificate and Convert::ToBase64String) and then reconstructed on an attacker host using WriteAllBytes.
To automate reconnaissance when you have at least Reader rights, NetSPI’s MicroBurst includes Get-AzBatchAccountData, which enumerates pools (environment variables, start-task commands, resource URLs), jobs and their tasks/subtasks, and — if you have Contributor rights — primary/secondary Batch keys. Running this function against a subscription produces output folders containing Jobs, Pools, and Keys (when permitted), streamlining discovery of exposed SAS tokens, env-vars, and other sensitive Batch-config artifacts.