Azure Storage account enumeration
Description
AlphaSOC detected enumeration of Azure Storage account keys across multiple accounts. The listKeys API action is often called before listing containers in storage accounts. Multiple key enumerations across different accounts in a short time frame may indicate reconnaissance activity by an attacker mapping out accessible storage resources.
Impact
Storage account key enumeration can expose sensitive data by revealing which accounts an identity has access to. Attackers may use this information to identify high-value targets for data exfiltration. Successfully retrieved keys provide full access to storage account contents, including blobs, files, tables, and queues.
Severity
| Severity | Condition |
|---|---|
Informational | Storage account key enumeration across multiple accounts |
Investigation and Remediation
Review the identity performing the enumeration and determine if the activity was authorized. Examine which storage accounts were targeted and whether any data was subsequently accessed. If unauthorized, rotate keys for affected storage accounts and investigate the identity's recent activity for additional compromise indicators.
Known False Positives
- Legitimate infrastructure discovery by DevOps tools
- Automated configuration management scanning storage resources
- Security auditing tools checking key configurations