Dumping Azure storage keys

Tools: Microburst , Lava

Steps:

MicroBurst

1) Authenticate with the Contributor access account

Connect-AzAccount

2) Import MicroBurst tool

Import-Module MicroBurst.psm1

3) Dump Azure storage instances. This function can also be used to extract data plane keys for other PaaS services, but we will exclude those services for now by using the N option for those parameters

Get-AzPasswords -AutomationAccounts N -AppServices N -Keys N -ACR N -CosmosDB N -Verbose | Out-GridView

When prompted, select the appropriate Azure subscription and click OK
Credentials got dumped from storage accounts. Can be used for hunting more credentials, or exfiltrate data, etc...

4) Install Microsoft Azure Storage Explorer

choco install microsoftazurestorageexplorer -y

5) On start button, search for the storage explorer, then click on the app

6) In the connect to Azure Storage window, select storage account

7) In the Select Authentication Method window, select Account name and key then click Next

8) In the Enter Connection Info window, enter the following information:

1. Display name: DISPLAY_NAME
1. Account Name: ACCOUNT_NAME
1. Account Key: ACCOUNT_KEY

9) Click Next

10) In the Summary window, click Connect

Review the files and note that we now have persistent access to the storage account and the content of all its services. This gives a lot of room for an attacker to cause damage. For example, an attacker could encrypt data in the service in a ransomware attack, inject malicious data into NoSQL table stores, or poison applications using storage queues

2) Lava

PreviousContributor Permissions NextDynamic Group Memberships exploitation

Last updated 7 months ago