Azure Blob Storage Container Access Level Modified
The rule identifies modifications to Azure Blob Storage container access levels, which, if unauthorized, may lead to data exposure and exfiltration.
This detection rule identifies changes to container access levels in Azure Blob Storage. Anonymous public read access to containers and blobs in Azure is a convenient way to share data, but if access to sensitive data is not carefully managed, it can introduce significant security risks. The rule specifically focuses on detecting modifications to container access settings, aiming to identify potential unauthorized changes that could expose sensitive data. This rule is important for defenders because unauthorized modifications can lead to data breaches, compliance violations, and reputational damage. The rule leverages Azure Activity Logs to monitor for the specific operation related to container access modifications.
Attack Chain
- An attacker gains initial access to an Azure account through compromised credentials or an exposed service principal.
- The attacker enumerates existing Azure Blob Storage accounts and containers within the compromised subscription.
- The attacker modifies the access level of a specific Blob Storage container to allow public read access using the "MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE" operation.
- The attacker verifies the successful access level modification by attempting to access the container anonymously.
- The attacker exfiltrates sensitive data stored within the now publicly accessible container.
- The attacker attempts to cover their tracks by deleting activity logs or creating misleading entries.
- The attacker moves laterally to other Azure resources using the compromised credentials or service principal.
Impact
An unauthorized modification of Azure Blob Storage container access levels can lead to the exposure of sensitive data to the public internet. This can result in data breaches, compliance violations, and reputational damage. The risk score associated with this type of activity is 21, and the severity is classified as low, reflecting the potential impact of unauthorized access and data exposure. The rule aims to detect these modifications early to prevent data exfiltration.
Recommendation
- Enable Azure Activity Log monitoring and ensure logs are being ingested into your SIEM or security analytics platform to detect the "MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE" operation.
- Deploy the Sigma rule "Azure Blob Storage Container Access Level Modified" to your SIEM and tune the rule based on your environment to minimize false positives.
- Review and update access management policies and procedures to prevent unauthorized modifications of container access levels to mitigate T1222.
- Investigate any detected instances of "MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE" operations from unfamiliar users or service principals.
Detection coverage 2
Azure Blob Storage Container Access Level Modified
mediumDetects modifications to Azure Blob Storage container access levels.
Azure Blob Storage Container Access Level Modified - User
lowDetects modifications to Azure Blob Storage container access levels by a specific user.
Detection queries are available on the platform. Get full rules →