Skip to content
Threat Feed
medium advisory

Azure Blob Storage Permissions Modified for Defense Evasion

An adversary may modify Azure Blob Storage permissions to weaken security controls, leading to potential data exposure or loss; this rule detects such modifications by monitoring Azure activity logs for specific operations related to permission changes on blobs.

This detection rule identifies when Azure role-based access control (Azure RBAC) permissions are modified for an Azure Blob. An adversary may intentionally alter permissions to weaken a target's security posture, facilitating unauthorized access or data exfiltration. Alternatively, an administrator might inadvertently make such modifications, creating vulnerabilities that could lead to data exposure or loss. This rule focuses on monitoring Azure activity logs for specific operations related to permission changes on blobs. The rule is designed to detect successful permission changes and alerts analysts to potential security breaches or misconfigurations. The rule is compatible with data from the Azure Fleet integration, Filebeat module, or similarly structured data.

Attack Chain

  1. An attacker gains initial access to an Azure account, possibly through compromised credentials or exploiting a vulnerability.
  2. The attacker enumerates existing Azure Blob Storage containers and their associated permissions to identify potential targets for privilege escalation or data access.
  3. The attacker attempts to modify the permissions of a specific blob within a storage container using operations like MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MODIFYPERMISSIONS/ACTION.
  4. The Azure RBAC system processes the permission modification request, validating the attacker's credentials and authorization.
  5. If the attacker possesses sufficient privileges or exploits a misconfiguration, the permission modification is successfully applied to the target blob.
  6. The attacker leverages the modified permissions to gain unauthorized access to the blob's content, potentially containing sensitive data.
  7. The attacker exfiltrates the data or uses the altered access to further compromise other resources within the Azure environment.

Impact

Successful modification of Azure Blob Storage permissions can lead to unauthorized data access, data breaches, and potential compromise of sensitive information stored within the blobs. This can impact confidentiality, integrity, and availability of critical business data. The risk score is 47, indicating a significant potential impact.

Recommendation

  • Deploy the Sigma rule Azure Blob Storage Permissions Modified to your SIEM to detect unauthorized permission changes in Azure Blob Storage.
  • Review Azure activity logs to identify the user or service principal associated with the permission modification event, as described in the rule's description.
  • Implement stricter Azure RBAC policies to ensure that only necessary permissions are granted, mitigating the risk of unauthorized modifications.
  • Create exceptions for specific user accounts or roles that frequently perform legitimate permission modifications, as described in the false_positives section of the rule.

Detection coverage 2

Azure Blob Storage Permissions Modified

medium

Detects when Azure role-based access control (Azure RBAC) permissions are modified for an Azure Blob, which may indicate defense evasion.

sigma tactics: defense_evasion techniques: T1222 sources: cloudtrail, azure

Azure Blob Container Permissions Modified

medium

Detects modifications to Azure Blob container permissions, potentially indicating malicious activity or misconfiguration.

sigma tactics: defense_evasion techniques: T1222 sources: cloudtrail, azure

Detection queries are available on the platform. Get full rules →