{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/azure-storage-account/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Storage Account"],"_cs_severities":["medium"],"_cs_tags":["azure","storage","deletion","impact"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies when an Azure Storage Account is deleted, a high-impact operation with significant consequences. Adversaries may delete storage accounts to disrupt operations, destroy evidence of their activities, or cause denial of service, potentially as part of ransomware or destructive attacks. Monitoring storage account deletions is crucial for detecting potential impact on business operations and data availability within Azure environments. The provided rule focuses on identifying storage account deletions performed by unusual users, leveraging Azure Activity Logs to pinpoint potentially malicious activity. The rule relies on the \u0026quot;MICROSOFT.STORAGE/STORAGEACCOUNTS/DELETE\u0026quot; operation name and user identity information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an Azure account through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates their privileges within the Azure environment to gain the necessary permissions to manage storage accounts (requires Contributor or Owner role).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a storage account containing sensitive data or critical application components.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u0026quot;MICROSOFT.STORAGE/STORAGEACCOUNTS/DELETE\u0026quot; operation to delete the targeted storage account using an unusual user account.\u003c/li\u003e\n\u003cli\u003eAzure Activity Logs record the deletion event, including details about the user, timestamp, and resource involved.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to cover their tracks by deleting or modifying other logs and audit trails.\u003c/li\u003e\n\u003cli\u003eThe deletion of the storage account causes data loss, application downtime, and disruption of business operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of Azure Storage Accounts leads to permanent data loss, impacting business operations and application availability. The number of affected victims depends on the storage account's contents and the criticality of the applications relying on it. This activity can result in significant financial losses, reputational damage, and regulatory compliance issues. The deletion of storage accounts may be part of a larger ransomware or destructive attack targeting cloud infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Azure Storage Account Deletion by Unusual User\u0026quot; to your SIEM, using \u003ccode\u003elogs-azure.activitylogs-*\u003c/code\u003e index, and tune the \u003ccode\u003enew_terms\u003c/code\u003e field for your environment.\u003c/li\u003e\n\u003cli\u003eReview Azure RBAC permissions and restrict storage account deletion capabilities to authorized users only, based on the guidance in the rule documentation.\u003c/li\u003e\n\u003cli\u003eConfigure Azure Activity Log alerts to notify security teams immediately when storage accounts are deleted, as described in the rule documentation.\u003c/li\u003e\n\u003cli\u003eImplement Azure Resource Locks to prevent accidental or malicious deletion of critical storage accounts, per the rule documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:21:00Z","date_published":"2024-01-09T18:21:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-azure-storage-deletion/","summary":"This brief detects the deletion of Azure Storage Accounts which can indicate malicious activity like data destruction, denial of service, or covering tracks after data exfiltration by adversaries.","title":"Azure Storage Account Deletion Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-storage-deletion/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Storage Account"],"_cs_severities":["low"],"_cs_tags":["azure","credential-access","storage-account"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of Azure Storage Account key regeneration events. Regenerating these keys can impact dependent applications and Azure services. An adversary might regenerate a storage account key to gain unauthorized access to storage resources, potentially leading to data exfiltration or service disruption. The detection rule monitors Azure activity logs for successful key regeneration operations, providing an opportunity to identify and respond to potential credential misuse. Key rotation is a normal part of operations, however, unscheduled key rotation, or key rotation from unfamiliar locations or users should be investigated.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn adversary gains initial access to an Azure account, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe adversary enumerates existing Azure storage accounts within the compromised subscription to identify potential targets.\u003c/li\u003e\n\u003cli\u003eThe adversary authenticates to the Azure Resource Manager API using the compromised credentials or an established session.\u003c/li\u003e\n\u003cli\u003eThe adversary executes a command to regenerate a storage account access key using the Azure CLI or PowerShell.\u003c/li\u003e\n\u003cli\u003eAzure Activity Logs record the event with \u003ccode\u003eoperation_name\u003c/code\u003e as \u003ccode\u003eMICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\u003c/code\u003e and \u003ccode\u003eevent.outcome\u003c/code\u003e as \u003ccode\u003eSuccess\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf successful, the adversary can then use the newly generated key to access the storage account and its contents.\u003c/li\u003e\n\u003cli\u003eThe adversary attempts to access or download sensitive data stored within the Azure Storage Account, such as backups or proprietary files.\u003c/li\u003e\n\u003cli\u003eThe adversary establishes persistence by using the new keys in automated scripts to access data in the storage account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful regeneration of Azure Storage Account keys can lead to unauthorized access to sensitive data, including customer information, proprietary data, and backups. This can result in data breaches, financial loss, and reputational damage. The scope of the impact depends on the permissions associated with the compromised account and the sensitivity of the data stored in the affected storage account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Azure Storage Account Key Regenerated\u0026quot; to your SIEM to detect unauthorized key regenerations in Azure Activity Logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of storage account key regeneration, especially those performed by unfamiliar users or from unusual locations, by examining the \u003ccode\u003eevent.outcome\u003c/code\u003e and associated user activity logs.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Azure accounts to reduce the risk of credential compromise, mitigating initial access (TA0001).\u003c/li\u003e\n\u003cli\u003eReview and harden Azure Storage Account access policies and permissions to adhere to the principle of least privilege, limiting the impact of potential credential compromise (T1552).\u003c/li\u003e\n\u003cli\u003eEstablish a process for regular, documented key rotation and create exceptions in the detection rule for these known events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T15:00:00Z","date_published":"2024-01-04T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-04-azure-storage-key-regen/","summary":"Detection of Azure Storage Account key regeneration events, which can signify potential credential access or persistence attempts by adversaries aiming to gain unauthorized access or disrupt services.","title":"Azure Storage Account Key Regeneration","url":"https://feed.craftedsignal.io/briefs/2024-01-04-azure-storage-key-regen/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Storage Account"],"_cs_severities":["medium"],"_cs_tags":["azure","storage","data_exfiltration","cloud_security"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert focuses on detecting the enabling of public access to Azure Storage Account Blobs. This configuration change allows anonymous internet access to blob containers, bypassing typical authentication requirements. The activity is detected by monitoring for the Microsoft.Storage/storageAccounts/write operation within Azure Activity Logs.  Observed in cloud ransom-based campaigns, threat actors such as STORM-0501 have exploited this misconfiguration to expose data for exfiltration. Detecting this behavior is critical to prevent unauthorized data access and potential ransomware attacks, particularly when sensitive information is stored within Azure Blob storage.  The rule specifically looks for modifications where the \u003ccode\u003eallowBlobPublicAccess\u003c/code\u003e property is set to \u003ccode\u003etrue\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e The attacker gains initial access to an Azure account, potentially through compromised credentials or a vulnerable application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (if needed):\u003c/strong\u003e The attacker escalates privileges within the Azure environment to gain the necessary permissions to modify storage account settings.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eStorage Account Discovery:\u003c/strong\u003e The attacker identifies target storage accounts containing valuable data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eModify Storage Account Configuration:\u003c/strong\u003e The attacker executes the \u003ccode\u003eMicrosoft.Storage/storageAccounts/write\u003c/code\u003e operation to modify the storage account's public access settings, specifically setting \u003ccode\u003eallowBlobPublicAccess\u003c/code\u003e to \u003ccode\u003etrue\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e Once public access is enabled, the attacker accesses and exfiltrates the data stored in blob containers without needing authentication.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (optional):\u003c/strong\u003e The attacker leverages the compromised storage account to gain access to other resources within the Azure environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRansom/Extortion (in some cases):\u003c/strong\u003e The attacker encrypts the data in the storage account and demands a ransom for its recovery, or threatens to release the exfiltrated data publicly.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eEnabling public access to Azure Storage Account Blobs can lead to significant data breaches and financial losses.  Successful attacks can result in the exposure of sensitive customer data, intellectual property, or confidential business information.  The STORM-0501 campaign demonstrates how this vulnerability can be exploited in cloud ransom-based campaigns.  The impact can range from reputational damage and regulatory fines to significant operational disruptions.  The number of affected records could be substantial depending on the size and content of the exposed blob containers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAzure Storage Account Public Blob Access Enabled\u003c/code\u003e to your SIEM to detect unauthorized modifications to storage account access settings.\u003c/li\u003e\n\u003cli\u003eImplement Azure Policy to prevent enabling public blob access on storage accounts containing sensitive data as described in the overview.\u003c/li\u003e\n\u003cli\u003eReview Azure activity logs for any instances of \u003ccode\u003eMicrosoft.Storage/storageAccounts/write\u003c/code\u003e events as outlined in the attack chain to identify potential unauthorized changes.\u003c/li\u003e\n\u003cli\u003eAudit all blob containers within affected storage accounts (referenced in the overview) to identify which data may have been exposed and assess the potential impact of the exposure.\u003c/li\u003e\n\u003cli\u003eMonitor the \u003ccode\u003eazure.resource.name\u003c/code\u003e field to track which storage accounts are being targeted.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-azure-blob-public-access/","summary":"Detection of Azure Storage Account Blob public access being enabled, potentially allowing external access to blob containers for data exfiltration, as abused by threat actors modifying storage account settings.","title":"Azure Storage Account Blob Public Access Enabled","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-blob-public-access/"}],"language":"en","title":"CraftedSignal Threat Feed - Azure Storage Account","version":"https://jsonfeed.org/version/1.1"}