AZT605.1 - Resource Secret Reveal: Storage Account Access Key Dumping#

By accessing a Storage Account, an adversary may dump access keys pertaining to the Storage Account, which will give them full access to the Storage Account.

Resource

Azure Storage Account

Actions

Microsoft.Storage/storageAccounts/listkeys/action

Examples

Az PowerShellAzure CLIAzure REST APIAzure Portal

Get-AzStorageAccountKey

az storage account keys

https://{myaccount}.blob.core.windows.net/?restype=service&comp=userdelegationkey

storagekeys

Detections

Logs#

Data Source	Operation Name	Action	Log Provider
Resource	MICROSOFT.STORAGE/STORAGEACCOUNTS/LISTKEYS/ACTION	Microsoft.Storage/storageAccounts/listkeys/action	AzureActivity

Queries#

Platform	Query
Log Analytics	`AzureActivity \| where OperationNameValue == 'MICROSOFT.STORAGE/STORAGEACCOUNTS/LISTKEYS/ACTION' and ActivityStatusValue == 'Start'`

Azure Monitor Alert#

Additional Resources

https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal