🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
☁️ HackTricks Cloud / Az - Storage Persistence

Az - Storage Persistence

{{#include ../../../banners/hacktricks-training.md}}

Storage Privesc

For more information about storage check:

{{#ref}}
../az-services/az-storage.md
{{#endref}}

Common tricks

  • Keep the access keys
  • Generate SAS
  • User delegated are 7 days max

Microsoft.Storage/storageAccounts/blobServices/containers/update && Microsoft.Storage/storageAccounts/blobServices/deletePolicy/write

These permissions allows the user to modify blob service properties for the container delete retention feature, which enables or configures the retention period for deleted containers. These permissions can be used for maintaining persistence to provide a window of opportunity for the attacker to recover or manipulate deleted containers that should have been permanently removed and accessing sensitive information.

az storage account blob-service-properties update \
  --account-name <STORAGE_ACCOUNT_NAME> \
  --enable-container-delete-retention true \
  --container-delete-retention-days 100

Microsoft.Storage/storageAccounts/read && Microsoft.Storage/storageAccounts/listKeys/action

These permissions can lead to the attacker to modify the retention policies, restoring deleted data, and accessing sensitive information.

az storage blob service-properties delete-policy update \
  --account-name <STORAGE_ACCOUNT_NAME> \
  --enable true \
  --days-retained 100

{{#include ../../../banners/hacktricks-training.md}}