AZT605.1 - Resource Secret Reveal: Storage Account Access Key Dumping#

By accessing a Storage Account, an adversary may dump access keys pertaining to the Storage Account, which will give them full access to the Storage Account.

Resource

Azure Storage Account

Actions

Microsoft.Storage/storageAccounts/listkeys/action

Examples

Az PowerShellAzure CLIAzure REST APIAzure Portal

Get-AzStorageAccountKey

az storage account keys

https://{myaccount}.blob.core.windows.net/?restype=service&comp=userdelegationkey

storagekeys

Detections

Logs#

Data Source	Operation Name	Action	Log Location
Resource	TBD	TBD	Azure Activity Log

Queries#

Log Analytics

|where OperationNameValue=="TBD"

Additional Resources

https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal