{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/asset-visibility/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Blob Storage"],"_cs_severities":["medium"],"_cs_tags":["cloud","azure","asset-visibility","discovery"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies changes to container access levels in Azure Blob Storage. Anonymous public read access to containers and blobs in Azure is a convenient way to share data, but if access to sensitive data is not carefully managed, it can introduce significant security risks. The rule specifically focuses on detecting modifications to container access settings, aiming to identify potential unauthorized changes that could expose sensitive data. This rule is important for defenders because unauthorized modifications can lead to data breaches, compliance violations, and reputational damage. The rule leverages Azure Activity Logs to monitor for the specific operation related to container access modifications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Azure account through compromised credentials or an exposed service principal.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing Azure Blob Storage accounts and containers within the compromised subscription.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the access level of a specific Blob Storage container to allow public read access using the \u0026quot;MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE\u0026quot; operation.\u003c/li\u003e\n\u003cli\u003eThe attacker verifies the successful access level modification by attempting to access the container anonymously.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data stored within the now publicly accessible container.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to cover their tracks by deleting activity logs or creating misleading entries.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other Azure resources using the compromised credentials or service principal.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eAn unauthorized modification of Azure Blob Storage container access levels can lead to the exposure of sensitive data to the public internet. This can result in data breaches, compliance violations, and reputational damage. The risk score associated with this type of activity is 21, and the severity is classified as low, reflecting the potential impact of unauthorized access and data exposure. The rule aims to detect these modifications early to prevent data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Azure Activity Log monitoring and ensure logs are being ingested into your SIEM or security analytics platform to detect the \u0026quot;MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE\u0026quot; operation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Azure Blob Storage Container Access Level Modified\u0026quot; to your SIEM and tune the rule based on your environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eReview and update access management policies and procedures to prevent unauthorized modifications of container access levels to mitigate T1222.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of \u0026quot;MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE\u0026quot; operations from unfamiliar users or service principals.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-azure-blob-access-modification/","summary":"The rule identifies modifications to Azure Blob Storage container access levels, which, if unauthorized, may lead to data exposure and exfiltration.","title":"Azure Blob Storage Container Access Level Modified","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-blob-access-modification/"}],"language":"en","title":"CraftedSignal Threat Feed - Asset-Visibility","version":"https://jsonfeed.org/version/1.1"}