{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/storage/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Storage Account"],"_cs_severities":["medium"],"_cs_tags":["azure","storage","deletion","impact"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies when an Azure Storage Account is deleted, a high-impact operation with significant consequences. Adversaries may delete storage accounts to disrupt operations, destroy evidence of their activities, or cause denial of service, potentially as part of ransomware or destructive attacks. Monitoring storage account deletions is crucial for detecting potential impact on business operations and data availability within Azure environments. The provided rule focuses on identifying storage account deletions performed by unusual users, leveraging Azure Activity Logs to pinpoint potentially malicious activity. The rule relies on the \u0026quot;MICROSOFT.STORAGE/STORAGEACCOUNTS/DELETE\u0026quot; operation name and user identity information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an Azure account through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates their privileges within the Azure environment to gain the necessary permissions to manage storage accounts (requires Contributor or Owner role).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a storage account containing sensitive data or critical application components.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u0026quot;MICROSOFT.STORAGE/STORAGEACCOUNTS/DELETE\u0026quot; operation to delete the targeted storage account using an unusual user account.\u003c/li\u003e\n\u003cli\u003eAzure Activity Logs record the deletion event, including details about the user, timestamp, and resource involved.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to cover their tracks by deleting or modifying other logs and audit trails.\u003c/li\u003e\n\u003cli\u003eThe deletion of the storage account causes data loss, application downtime, and disruption of business operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of Azure Storage Accounts leads to permanent data loss, impacting business operations and application availability. The number of affected victims depends on the storage account's contents and the criticality of the applications relying on it. This activity can result in significant financial losses, reputational damage, and regulatory compliance issues. The deletion of storage accounts may be part of a larger ransomware or destructive attack targeting cloud infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Azure Storage Account Deletion by Unusual User\u0026quot; to your SIEM, using \u003ccode\u003elogs-azure.activitylogs-*\u003c/code\u003e index, and tune the \u003ccode\u003enew_terms\u003c/code\u003e field for your environment.\u003c/li\u003e\n\u003cli\u003eReview Azure RBAC permissions and restrict storage account deletion capabilities to authorized users only, based on the guidance in the rule documentation.\u003c/li\u003e\n\u003cli\u003eConfigure Azure Activity Log alerts to notify security teams immediately when storage accounts are deleted, as described in the rule documentation.\u003c/li\u003e\n\u003cli\u003eImplement Azure Resource Locks to prevent accidental or malicious deletion of critical storage accounts, per the rule documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:21:00Z","date_published":"2024-01-09T18:21:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-azure-storage-deletion/","summary":"This brief detects the deletion of Azure Storage Accounts which can indicate malicious activity like data destruction, denial of service, or covering tracks after data exfiltration by adversaries.","title":"Azure Storage Account Deletion Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-storage-deletion/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Storage Account"],"_cs_severities":["medium"],"_cs_tags":["azure","storage","data_exfiltration","cloud_security"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert focuses on detecting the enabling of public access to Azure Storage Account Blobs. This configuration change allows anonymous internet access to blob containers, bypassing typical authentication requirements. The activity is detected by monitoring for the Microsoft.Storage/storageAccounts/write operation within Azure Activity Logs.  Observed in cloud ransom-based campaigns, threat actors such as STORM-0501 have exploited this misconfiguration to expose data for exfiltration. Detecting this behavior is critical to prevent unauthorized data access and potential ransomware attacks, particularly when sensitive information is stored within Azure Blob storage.  The rule specifically looks for modifications where the \u003ccode\u003eallowBlobPublicAccess\u003c/code\u003e property is set to \u003ccode\u003etrue\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e The attacker gains initial access to an Azure account, potentially through compromised credentials or a vulnerable application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (if needed):\u003c/strong\u003e The attacker escalates privileges within the Azure environment to gain the necessary permissions to modify storage account settings.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eStorage Account Discovery:\u003c/strong\u003e The attacker identifies target storage accounts containing valuable data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eModify Storage Account Configuration:\u003c/strong\u003e The attacker executes the \u003ccode\u003eMicrosoft.Storage/storageAccounts/write\u003c/code\u003e operation to modify the storage account's public access settings, specifically setting \u003ccode\u003eallowBlobPublicAccess\u003c/code\u003e to \u003ccode\u003etrue\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e Once public access is enabled, the attacker accesses and exfiltrates the data stored in blob containers without needing authentication.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (optional):\u003c/strong\u003e The attacker leverages the compromised storage account to gain access to other resources within the Azure environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRansom/Extortion (in some cases):\u003c/strong\u003e The attacker encrypts the data in the storage account and demands a ransom for its recovery, or threatens to release the exfiltrated data publicly.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eEnabling public access to Azure Storage Account Blobs can lead to significant data breaches and financial losses.  Successful attacks can result in the exposure of sensitive customer data, intellectual property, or confidential business information.  The STORM-0501 campaign demonstrates how this vulnerability can be exploited in cloud ransom-based campaigns.  The impact can range from reputational damage and regulatory fines to significant operational disruptions.  The number of affected records could be substantial depending on the size and content of the exposed blob containers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAzure Storage Account Public Blob Access Enabled\u003c/code\u003e to your SIEM to detect unauthorized modifications to storage account access settings.\u003c/li\u003e\n\u003cli\u003eImplement Azure Policy to prevent enabling public blob access on storage accounts containing sensitive data as described in the overview.\u003c/li\u003e\n\u003cli\u003eReview Azure activity logs for any instances of \u003ccode\u003eMicrosoft.Storage/storageAccounts/write\u003c/code\u003e events as outlined in the attack chain to identify potential unauthorized changes.\u003c/li\u003e\n\u003cli\u003eAudit all blob containers within affected storage accounts (referenced in the overview) to identify which data may have been exposed and assess the potential impact of the exposure.\u003c/li\u003e\n\u003cli\u003eMonitor the \u003ccode\u003eazure.resource.name\u003c/code\u003e field to track which storage accounts are being targeted.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-azure-blob-public-access/","summary":"Detection of Azure Storage Account Blob public access being enabled, potentially allowing external access to blob containers for data exfiltration, as abused by threat actors modifying storage account settings.","title":"Azure Storage Account Blob Public Access Enabled","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-blob-public-access/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure","Azure Storage Accounts"],"_cs_severities":["high"],"_cs_tags":["cloud","azure","storage","impact"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies when a single user or service principal deletes multiple Azure Storage Accounts within a short time period. This behavior can indicate an adversary attempting to cause widespread service disruption, destroy evidence, or execute a destructive attack such as ransomware. Mass deletion of storage accounts can have severe business impact and is rarely performed by legitimate administrators except during controlled decommissioning activities. The original Elastic detection rule was published on 2025/10/08 and updated on 2026/04/10. This threat is important for defenders because Azure Storage Accounts are critical infrastructure components that store application data, backups, and business-critical information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an Azure account or service principal.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates available Azure Storage Accounts within the subscription.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the Azure portal, CLI, or API to initiate deletion of multiple storage accounts.\u003c/li\u003e\n\u003cli\u003eAzure Activity Logs record the \u0026quot;MICROSOFT.STORAGE/STORAGEACCOUNTS/DELETE\u0026quot; operations.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to disable or delete backups to hinder recovery efforts.\u003c/li\u003e\n\u003cli\u003eIf successful, the deletion of storage accounts results in data loss and service disruption.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to exfiltrate additional data before final deletion.\u003c/li\u003e\n\u003cli\u003eThe attack aims to cause maximum impact by deleting as many storage accounts as possible in a short timeframe.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eMass deletion of storage accounts can result in significant data loss, service disruption, and financial damage. The number of affected storage accounts can vary, but the impact is generally high due to the critical nature of stored data. This attack could impact any organization using Azure Storage Accounts, including those in the technology, finance, and healthcare sectors. If successful, organizations may experience data breaches, compliance violations, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Azure Storage Account Deletions by User\u0026quot; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eReview Azure Activity Logs for the \u0026quot;MICROSOFT.STORAGE/STORAGEACCOUNTS/DELETE\u0026quot; operation to investigate potential mass deletion attempts.\u003c/li\u003e\n\u003cli\u003eImplement Azure Resource Locks on all critical storage accounts to prevent accidental or malicious deletion.\u003c/li\u003e\n\u003cli\u003eConfigure Azure Policy to require approval workflows for storage account deletions using Azure Blueprints or custom governance solutions.\u003c/li\u003e\n\u003cli\u003eEnable Azure Activity Log alerts to notify security teams immediately when storage accounts are deleted.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-azure-storage-deletion/","summary":"A single user or service principal deleting multiple Azure Storage Accounts within a short time period may indicate malicious activity such as data destruction, service disruption, or a ransomware attack.","title":"Multiple Azure Storage Account Deletions by User","url":"https://feed.craftedsignal.io/briefs/2024-01-02-azure-storage-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - Storage","version":"https://jsonfeed.org/version/1.1"}