Skip to content
Threat Feed
low advisory

Azure Storage Account Key Regeneration

Detection of Azure Storage Account key regeneration events, which can signify potential credential access or persistence attempts by adversaries aiming to gain unauthorized access or disrupt services.

This threat brief focuses on the detection of Azure Storage Account key regeneration events. Regenerating these keys can impact dependent applications and Azure services. An adversary might regenerate a storage account key to gain unauthorized access to storage resources, potentially leading to data exfiltration or service disruption. The detection rule monitors Azure activity logs for successful key regeneration operations, providing an opportunity to identify and respond to potential credential misuse. Key rotation is a normal part of operations, however, unscheduled key rotation, or key rotation from unfamiliar locations or users should be investigated.

Attack Chain

  1. An adversary gains initial access to an Azure account, potentially through compromised credentials or exploiting a vulnerability.
  2. The adversary enumerates existing Azure storage accounts within the compromised subscription to identify potential targets.
  3. The adversary authenticates to the Azure Resource Manager API using the compromised credentials or an established session.
  4. The adversary executes a command to regenerate a storage account access key using the Azure CLI or PowerShell.
  5. Azure Activity Logs record the event with operation_name as MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION and event.outcome as Success.
  6. If successful, the adversary can then use the newly generated key to access the storage account and its contents.
  7. The adversary attempts to access or download sensitive data stored within the Azure Storage Account, such as backups or proprietary files.
  8. The adversary establishes persistence by using the new keys in automated scripts to access data in the storage account.

Impact

Successful regeneration of Azure Storage Account keys can lead to unauthorized access to sensitive data, including customer information, proprietary data, and backups. This can result in data breaches, financial loss, and reputational damage. The scope of the impact depends on the permissions associated with the compromised account and the sensitivity of the data stored in the affected storage account.

Recommendation

  • Deploy the Sigma rule "Azure Storage Account Key Regenerated" to your SIEM to detect unauthorized key regenerations in Azure Activity Logs.
  • Investigate any detected instances of storage account key regeneration, especially those performed by unfamiliar users or from unusual locations, by examining the event.outcome and associated user activity logs.
  • Implement multi-factor authentication (MFA) for all Azure accounts to reduce the risk of credential compromise, mitigating initial access (TA0001).
  • Review and harden Azure Storage Account access policies and permissions to adhere to the principle of least privilege, limiting the impact of potential credential compromise (T1552).
  • Establish a process for regular, documented key rotation and create exceptions in the detection rule for these known events.

Detection coverage 2

Azure Storage Account Key Regenerated

low

Detects the regeneration of Azure Storage Account keys, which may indicate unauthorized credential access or persistence.

sigma tactics: credential_access techniques: T1552.005 sources: cloudtrail, azure

Azure Storage Account Key Regenerated by Unusual User

medium

Detects Azure Storage Account key regeneration events performed by users or service principals that are not typically associated with this activity.

sigma tactics: credential_access techniques: T1552 sources: cloudtrail, azure

Detection queries are available on the platform. Get full rules →