Malware Scanning in Defender for Cloud – Notes from the Field

This post discusses the new Microsoft Defender for Cloud – Malware Scanning feature. While this feature was released recently, I tested it as a private preview, and it has many notes, some of which are mentioned in this post.

“Living off the Cloud” refers to modernizing old-school tactics by adversaries and using them to store and distribute malicious files in the Cloud. It involves using cloud storage services like Azure Storage, AWS S3, etc. These services provide a secure and scalable platform for storing and accessing files, making them an attractive target for hackers.

By using cloud storage, hackers can bypass traditional security measures like firewalls and intrusion detection systems, which may not be configured to monitor traffic to and from cloud services. They can also take advantage of cloud storage’s scalability and distributed nature to distribute Malware to many targets quickly and efficiently.

To carry out this tactic, hackers typically create an account with a cloud storage provider using a stolen or fake identity. They then use this account to upload and store malicious files, which can be accessed and downloaded by other hackers or malware bots.

To mitigate the risks associated with “living off the cloud,” organizations should implement robust security measures for cloud-based services, such as encryption, access controls, and monitoring. They should also ensure their employees are trained on cloud security best practices, such as using strong passwords and not sharing credentials.

Cloud storage providers are also responsible for monitoring and detecting suspicious activity on their platforms and taking action to prevent malicious use. This includes monitoring for unusual access patterns, scanning files for Malware, and detecting and blocking malicious accounts.

Attackers run campaigns using Azure blob or any other cloud storage in many situations. For example, “an Office 365 phishing attack utilizes an exciting method of storing their phishing form hosted on Azure Blob Storage to be secured by a Microsoft SSL certificate. Azure Blob is a Microsoft storage solution that can store unstructured data such as images, videos, or text.”

More about this attack in the following post – Phishing Attack Uses Azure Blob Storage to Impersonate Microsoft (bleepingcomputer.com).

Storage accounts can be a malware entry point and a malware distribution point. To protect from this threat, content in cloud storage must be scanned for malware before it’s accessed. 

Microsoft recently announced a series of new capabilities, including Malware Scanning. The Public Preview of Malware Scanning for Defender for Storage and new data-aware threat detection. Malware Scanning for Defender for Storage enables security teams to scan content upon upload and detect polymorphic and metamorphic Malware in near real-time. Security teams can prevent malware distribution across their storage resources with agentless and simple at-scale enablement. With the new data-aware layer, security teams can leverage the sensitive data threat detection feature to prioritize storage resources containing sensitive data and detect sensitive data exfiltration and exposure events.

More about this announcement in the following post – Announcing Defender CSPM GA and new data security capabilities in Microsoft Defender for Cloud, our comprehensive multicloud CNAPP

Security Threat

Azure storage has many security threats like any other components in the Cloud. We must know these security threats to know how to protect, investigate and create detection rules. Viewing this scenario from an attacker’s perspective can be helpful.

The following posts provide how to attack and defend Azure Storage with the existing risks and threats and how to attack every Azure storage.

Azure Blob Container For Defenders

Azure Blob Container Threats & Attacks

The common security threats in Azure Storage can be:

• Credentials theft
• Data collection by blob hunting
• Access token abuse and leakage
• Reconnaissance with search engines
• Insufficient authentication mechanisms
• Insider threats with existing permissions
• Lateral movement from compromised workloads

The Azure Storage matrix is a great way to know the tactics, risks, and threats for Azure Storage.

Image source: Threat matrix for storage services – Microsoft Security Blog

Need to Know

While Malware scanning in Defender for Storage is excellent news and can work in some scenarios – it still has some boundaries. Here are some of the best practices and helpful information:

Malware Scanning

• A built-in SaaS solution that allows simple enabling at scale with zero maintenance.
• Comprehensive antimalware capabilities using Microsoft Defender AV – for polymorphic and metamorphic Malware.
• Every file type, including archives files, is scanned, and a result is returned for every scan.
• It can work with other security restrictions in Azure storage.
• The file size limit is 2 GB.
• Supports response at scale – deleting or quarantining suspicious files based on the blobs’ index tags or Event Grid events.
• Detailed Microsoft Defenders for Cloud security alerts are generated when the malware scan identifies a malicious file.
• Designed to help fulfill security and compliance requirements to scan untrusted content uploaded to storage, including an option to log every scan result.
• Azure-native solution offering an advanced layer of intelligence for threat detection and mitigation in storage accounts
• Powered by Microsoft Threat Intelligence, Microsoft Defender Antimalware technologies, and Sensitive Data Discovery.
• Near real-time Malware Scanning and sensitive data threat detection.
• Archived file scanning can take time.
• Password-protected files cannot be uploaded due to other restrictions.
• Malware Scanning is a paid add-on feature to Defender for Storage, currently available for Azure Blob Storage.
• Scanning can take time with Malware that has big files.
• Scanning can fail with Malware that has new advanced techniques.
• To get an investigation posture, you need to configure additional logs.
• Data at rest – At least for the existing point in time, you need to run some trigger to allow Defender to detect existing files.

Hash reputation analysis isn’t supported for all file protocols and operation types - Some, but not all, of the telemetry logs contain the hash value of the related blob or file. In some cases, the telemetry doesn’t contain a hash value. As a result, some operations can’t be monitored for known malware uploads. Examples of unsupported use cases include SMB file shares and when a blob is created using Put Block and Put Block List.

Security Alerts

The malware scanning alert will be Potential Malware uploaded to a storage blob container. The alert description will be the following:

• Scenario – Malicious content upload
• Description – Malware Scanning scans every blob uploaded to your storage accounts. It detects ransomware, viruses, spyware, and other Malware uploaded to the storage account, helping you prevent it from entering the organization and spreading. The classic malware hash analysis alert operates differently from Malware Scanning. It compares the uploaded blob/file hash with a list of known malicious hash signatures rather than analyzing the file contents for Malware.
• Requirements – Malware Scanning needs to be enabled. Supported only on Azure Blob in Standard general-purpose v2, Azure Data Lake Storage Gen2, premium block blobs, and storage accounts.

The following security alert was raised after uploading real-life Malware.

It provides information for the following entities:

• File
• File hash
• IP
• Malware family
• Network connections
• Azure resource
• Threat report
• container
• Potential
• User-agent
• Location
• Auth type

A quick view for malware alert in Microsoft Sentinel.

The testing is based on Microsoft documentation scenarios and other tests I did with the following Malware.

General Settings

To get the correct alerts for almost every file, you must ensure the configuration and enable the following requirements and best practices.

Note: While malware scanning needs public access, it’s strongly recommended to work with storage restrictions – Make sure to configure with a specific network, configure ACL on the object level, and configuration restrictions.

Event Grid Provider – Event Grid resource provider must be registered to create the Event Grid System Topic to detect upload triggers.

Malware Scanning Settings – Additionally, you need to configure the Malware Scanning in Defender for Storage with the following settings:

• Enable Microsoft Defender for Storage.
• Enable the Malware Scanning or sensitive data threat detection configurable features.
• Override subscription-level settings to configure specific storage accounts with custom configurations that differ from the subscription level.

There are several ways to enable Defender for Storage on subscriptions: Azure portal, Azure built-in policy, IaC templates including Bicep and ARM, and REST API.

Bear in mind that the settings above can be configured for a production environment with the required restrictions, but you must also allow public access.

Confidence Check

After you enable Microsoft Defender for Storage, you can test the service and run an actual malware or sample to familiarize yourself with its features and validate the advanced security capabilities effectively protect your storage accounts by generating accurate security alerts.

The component to test is Malware Scanning.

When running malware testing in Defender for Storage, you must ensure the machine you are running from is isolated from any other devices. Once you’ve got an isolated device, you can run the malware scanning testing. For example, you can download from the following repo – malware-samples · GitHub Topics.

Once you’ve got Malware on Azure blob, you will get alerts, and from there, you can investigate the alerts in Defedenr for Cloud and Microsoft Sentinel.

The next posts will discuss Malware automation and investigation with Microsoft Sentinel.