New alert for Microsoft Defender for Storage

Hi,

To expand the threat protections provided by Microsoft Defender for Storage, Microsoft added a new preview alert.

Alert (alert type)DescriptionMITRE tacticSeverity
PREVIEW – Access from a suspicious application
(Storage.Blob_SuspiciousApp)
Indicates that a suspicious application has successfully accessed a container of a storage account with authentication.
This might indicate that an attacker has obtained the credentials necessary to access the account, and is exploiting it. This could also be an indication of a penetration test carried out in your organization.
Applies to: Azure Blob Storage, Azure Data Lake Storage Gen2
Initial AccessMedium

Maxime.

Storage | Scanning Azure Blob Storage

Hi!

In this article, I will show you how you can scan an Azure Blob to identity potential public storage containers. By default when you create a new container, you have 3 options to define the public level access:

  • Private: No public access to this container (default configuration).
  • Blob: Public access is permitted to this container and its blobs.
  • Container: Public access is permitted to blobs in this container, but not to the container itself.

To leverage this attack, we will use a function including in the MicroBurst tool.

Invoke-EnumerateAzureBlobs -Base yourcompanyname

In this example, I will use an additional containerlist file with some folders examples (dev, non, prod, devprod, ….)

Invoke-EnumerateAzureBlobs -Base zigmaxlab -Folders .\containerlist.txt

Maxime.

AAD | Abuse Service Principals

Hi!

Attackers want to target service principals because:

  • Service accounts and service principals do not have MFA
  • Attackers can log into Azure using a service principal account
  • These accounts exist with all applications in Azure (most companies have several) 
  • These accounts could be controlled through conditional access only with an Azure Active Directory P2.

Sign-in with the service principal using Azure CLI:

az login –service-principal -u YourServicePrincipald -p YourServicePrincipalPassword -tenant YourTenantId –allow-no-subscriptions

To prevent this attack, you can define a Conditional Access policies for your service principals. You need to have an Azure Active Directory Premium P2 to enable this feature.

Maxime.