{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/storage-account/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Storm-0501"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Azure","Azure Storage Accounts"],"_cs_severities":["medium"],"_cs_tags":["azure","storage account","credential access","ransomware"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of unusual access patterns to Azure Storage Account keys, specifically by users holding high-privilege roles such as Owner, Contributor, Storage Account Contributor, or User Access Administrator. The access of these keys allows for full administrative control over the storage resources. Microsoft recommends using Shared Access Signature (SAS) models instead of direct key access for improved security. This behavior was observed in STORM-0501 ransomware campaigns, where compromised identities with elevated Azure RBAC roles retrieved storage account keys to conduct unauthorized operations on the storage accounts. The detection strategy focuses on identifying when a user principal with these high-privilege roles accesses storage keys for the first time within a 7-day window, highlighting potentially malicious or anomalous behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise of a user account with a high-privilege Azure RBAC role (Owner, Contributor, Storage Account Contributor, or User Access Administrator). This may be achieved through phishing or credential stuffing.\u003c/li\u003e\n\u003cli\u003eThe compromised account logs into the Azure portal or uses Azure CLI/PowerShell with valid credentials.\u003c/li\u003e\n\u003cli\u003eAttacker enumerates available Azure Storage Accounts within the subscription.\u003c/li\u003e\n\u003cli\u003eUsing the compromised account, the attacker executes the \u003ccode\u003eMICROSOFT.STORAGE/STORAGEACCOUNTS/LISTKEYS/ACTION\u003c/code\u003e operation to retrieve the storage account keys.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the retrieved storage account keys to perform unauthorized actions on the Storage Account, such as reading, modifying, or deleting data.\u003c/li\u003e\n\u003cli\u003eData exfiltration occurs using the compromised storage account keys, potentially involving tools like AzCopy or custom scripts.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to move laterally to other storage accounts or Azure resources using the compromised keys.\u003c/li\u003e\n\u003cli\u003eRansomware deployment within the storage account, encrypting data and demanding payment for its recovery, as observed in STORM-0501 campaigns.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized data access, modification, or deletion within Azure Storage Accounts. The impact includes potential data breaches, financial losses, and reputational damage. As observed with STORM-0501, compromised storage account keys can facilitate ransomware deployment, rendering critical data inaccessible until a ransom is paid. Organizations in all sectors that utilize Azure Storage Accounts are potentially vulnerable. The compromise can allow attackers full control over the storage account leading to complete data loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Sigma rule \u0026quot;Azure Storage Account Keys Accessed by Privileged User - New Access\u0026quot; to detect first-time key access within 7 days by privileged users based on \u003ccode\u003eazure.activitylogs.operation_name: \u0026quot;MICROSOFT.STORAGE/STORAGEACCOUNTS/LISTKEYS/ACTION\u0026quot;\u003c/code\u003e and \u003ccode\u003eevent.outcome: \u0026quot;success\u0026quot;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Azure Activity Logs and ensure they are being ingested into your SIEM to provide the data source necessary for the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eRotate storage account keys immediately upon detection of unauthorized access and audit recent activities on the affected storage accounts.\u003c/li\u003e\n\u003cli\u003eEnforce the use of Azure AD authentication or SAS tokens instead of storage account keys to reduce future risks, as recommended by Microsoft.\u003c/li\u003e\n\u003cli\u003eReview and restrict the assignment of high-privilege roles like Owner and Contributor, following the principle of least privilege.\u003c/li\u003e\n\u003cli\u003eConfigure Azure Policy to restrict the \u003ccode\u003elistKeys\u003c/code\u003e operation to specific roles or require additional approval workflows.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T16:00:00Z","date_published":"2024-01-09T16:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-azure-storage-key-access/","summary":"Detects unusual access to Azure Storage Account keys by users with Owner, Contributor, Storage Account Contributor, or User Access Administrator roles, potentially indicating compromised identities as seen in STORM-0501 ransomware campaigns.","title":"Unusual Azure Storage Account Key Access by Privileged User","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-storage-key-access/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Storage Account"],"_cs_severities":["low"],"_cs_tags":["azure","credential-access","storage-account"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of Azure Storage Account key regeneration events. Regenerating these keys can impact dependent applications and Azure services. An adversary might regenerate a storage account key to gain unauthorized access to storage resources, potentially leading to data exfiltration or service disruption. The detection rule monitors Azure activity logs for successful key regeneration operations, providing an opportunity to identify and respond to potential credential misuse. Key rotation is a normal part of operations, however, unscheduled key rotation, or key rotation from unfamiliar locations or users should be investigated.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn adversary gains initial access to an Azure account, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe adversary enumerates existing Azure storage accounts within the compromised subscription to identify potential targets.\u003c/li\u003e\n\u003cli\u003eThe adversary authenticates to the Azure Resource Manager API using the compromised credentials or an established session.\u003c/li\u003e\n\u003cli\u003eThe adversary executes a command to regenerate a storage account access key using the Azure CLI or PowerShell.\u003c/li\u003e\n\u003cli\u003eAzure Activity Logs record the event with \u003ccode\u003eoperation_name\u003c/code\u003e as \u003ccode\u003eMICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\u003c/code\u003e and \u003ccode\u003eevent.outcome\u003c/code\u003e as \u003ccode\u003eSuccess\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf successful, the adversary can then use the newly generated key to access the storage account and its contents.\u003c/li\u003e\n\u003cli\u003eThe adversary attempts to access or download sensitive data stored within the Azure Storage Account, such as backups or proprietary files.\u003c/li\u003e\n\u003cli\u003eThe adversary establishes persistence by using the new keys in automated scripts to access data in the storage account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful regeneration of Azure Storage Account keys can lead to unauthorized access to sensitive data, including customer information, proprietary data, and backups. This can result in data breaches, financial loss, and reputational damage. The scope of the impact depends on the permissions associated with the compromised account and the sensitivity of the data stored in the affected storage account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Azure Storage Account Key Regenerated\u0026quot; to your SIEM to detect unauthorized key regenerations in Azure Activity Logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of storage account key regeneration, especially those performed by unfamiliar users or from unusual locations, by examining the \u003ccode\u003eevent.outcome\u003c/code\u003e and associated user activity logs.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Azure accounts to reduce the risk of credential compromise, mitigating initial access (TA0001).\u003c/li\u003e\n\u003cli\u003eReview and harden Azure Storage Account access policies and permissions to adhere to the principle of least privilege, limiting the impact of potential credential compromise (T1552).\u003c/li\u003e\n\u003cli\u003eEstablish a process for regular, documented key rotation and create exceptions in the detection rule for these known events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T15:00:00Z","date_published":"2024-01-04T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-04-azure-storage-key-regen/","summary":"Detection of Azure Storage Account key regeneration events, which can signify potential credential access or persistence attempts by adversaries aiming to gain unauthorized access or disrupt services.","title":"Azure Storage Account Key Regeneration","url":"https://feed.craftedsignal.io/briefs/2024-01-04-azure-storage-key-regen/"}],"language":"en","title":"CraftedSignal Threat Feed - Storage Account","version":"https://jsonfeed.org/version/1.1"}