Azure Blob Storage PowerShell Scanning Script
Azure Blob Containers are meant to be opened…
The cloud’s capabilities, particularly security, are expanding and bringing impressive value. However, old misconfigurations still occur even in the most hardened and monitored environments, one of which is an open Azure Blob Container. Since its early days, this misconfig has not changed, including situations with a policy, governance, etc. An Azure Blob Container that is publicly open isn’t only about potential exposure; it’s about tokens, keys, and other sensitive information. Also, the wrong configuration of Azure Blob Container can lead to cloud ransomware.
I wrote and uploaded the Defender side and the risks and threats in the blog posts below. Nothing changed, and it is still valid. Still, what has changed or can be? The PowerShell script that can scan, discover, and ENUM objects in Azure is straightforward. So, ENUM is the key, fuzz for the open blob. 😎
The Azure Blob Container Scanning is a dedicated script for scanning Azure Blob container objects with specific prefixes, suffixes, and more parameters. It can scan the Blob Container for hours. The tip is to put the potential prefixes and suffixes to lower the time the script may run.
This PowerShell basic script was run on many environments, and treasure was found. In the end, he made a successful discovery. Still, it can run for many hours if it does not have the correct parameters.
Download the Azure Blob Container Scanning PowerShell script here.
Below are the posts about Azure Blob with a quick summary.
Azure Blob for Defenders
The blog post “Azure Blob Container for Defenders” discusses using Azure Blob Storage containers for cybersecurity defenders and incident responders. Below are the highlights of this post.
Purpose and Benefits
The author explains that Azure Blob Storage containers can be valuable for storing and sharing various data related to cybersecurity investigations and incident response. These containers offer:
- Secure storage: A safe place to keep sensitive data
- Easy sharing: Ability to share information with team members or other authorized parties
- Scalability: Can handle large amounts of data
Types of Data Stored
The blog post mentions several types of data that defenders might store in Azure Blob containers:
- Malware samples
- Network packet captures (PCAPs)
- Log files
- Disk images
- Memory dumps
- Screenshots and other visual evidence
Use Cases
The author outlines several scenarios where Azure Blob containers can be particularly useful:
- Collaborative investigations: Sharing evidence with team members or external partners
- Long-term storage: Keeping historical data for future reference or compliance purposes
- Automated analysis: Integrating with security tools for automated processing of stored data
Security Considerations
The post emphasizes the importance of implementing proper security measures when using Azure Blob containers for sensitive data:
- Enabling encryption at rest and in transit
- Implementing strong access controls
- Regular auditing of container access and contents
Attack Azure Blob Container
The second blog post discusses Azure Blob Container security risks, threats, and potential attacks. Below are the highlights from this post.:
Azure Storage Overview
Azure Storage is Microsoft’s cloud storage solution. It offers various data storage options, including Blob Storage, Queue Storage, Disk Storage, Table Storage, and Azure Files. This post focuses on Azure Blob Storage, which is designed for storing large volumes of unstructured data.
Azure Blob Container Architecture
The post explains the structure of Azure Blob Storage, including:
- Storage accounts
- Containers
- Blobs
It also covers access levels (private, blob, and container) and naming conventions for accounts, containers, and blobs.
Security Risks
Several security risks associated with cloud storage are highlighted:
- Lack of control over data management
- Potential for data leakage
- Risks related to APIs and storage gateways
- Misconfiguration leading to public exposure
Threat Stages – The post outlines various stages of potential attacks on Azure Blob Containers, following the MITRE ATT&CK framework:
Reconnaissance – Techniques for discovering Azure Blobs and containers, including using tools like Microburst and BlobHunter.
Initial Access – In these methods, attackers might gain initial access by exploiting valid SAS URIs, access keys, or public access settings.
Persistence – Techniques for maintaining access, including modifying firewall configurations and RBAC settings.
Defense Evasion – Ways attackers might avoid detection, such as changing network configurations, modifying RBAC, and abusing legitimate storage features.
Credential Access – Methods for stealing or accessing storage account keys and cloud shell profiles.
Discovery – Techniques for gathering information about the storage environment post-compromise.
