Az - Storage Persistence

Reading time: 2 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Storage Privesc

For more information about storage check:

Az - Storage Accounts & Blobs

Common tricks

Keep the access keys
Generate SAS
- User delegated are 7 days max

Microsoft.Storage/storageAccounts/blobServices/containers/update && Microsoft.Storage/storageAccounts/blobServices/deletePolicy/write

These permissions allows the user to modify blob service properties for the container delete retention feature, which enables or configures the retention period for deleted containers. These permissions can be used for maintaining persistence to provide a window of opportunity for the attacker to recover or manipulate deleted containers that should have been permanently removed and accessing sensitive information.

bash

az storage account blob-service-properties update \
  --account-name <STORAGE_ACCOUNT_NAME> \
  --enable-container-delete-retention true \
  --container-delete-retention-days 100

Microsoft.Storage/storageAccounts/read && Microsoft.Storage/storageAccounts/listKeys/action

These permissions can lead to the attacker to modify the retention policies, restoring deleted data, and accessing sensitive information.