Exfiltrate Azure Storage via public access

idempotent

Platform: Azure

Mappings

• MITRE ATT&CK
  • Exfiltration

Description

Modify storage policies to download content in an Azure storage account.

Warm-up:

• Create a storage account with anonymous blob access disabled
• Create a storage container with an empty test file

Detonation:

• Enable anonymous blob access on the storage account
• Change storage container access level to allow public access (anonymous access to containers and blobs)
• Download test file from the public container

References:

• https://www.microsoft.com/en-us/security/blog/2025/08/27/storm-0501s-evolving-techniques-lead-to-cloud-based-ransomware/
• https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure

Instructions

Detonate with Stratus Red Team

stratus detonate azure.exfiltration.storage-public-access

Detection

Monitor Azure Activity Logs for storage account property changes, specifically Microsoft.Storage/storageAccounts/write operations that modify storage access policies.

Sample Azure Activity Log event to monitor:

```json hl_lines="2 5" "operationName": { "value": "Microsoft.Storage/storageAccounts/write", "localizedValue": "Create/Update Storage Account" }, "properties": { "requestbody": "{\"properties\":{\"allowBlobPublicAccess\":true}}", "eventCategory": "Administrative", "entity": "/subscriptions/[SUBSCRIPTION-ID]/resourceGroups/stratus-red-team-storage-storage-6m6k/providers/Microsoft.Storage/storageAccounts/stratusredteamstorage", "message": "Microsoft.Storage/storageAccounts/write", "hierarchy": "[REMOVED]" }