Investigating SFTP Access Abuse in Azure Storage Accounts
Kloudynet Technologies
Experts in Cloud Governance | Cybersecurity | Compliance | SOC | MDR | Microsoft's Advanced Security Solutions Partner
In this article, we'll explore new techniques that abuse SFTP access from the Azure Storage Threat Matrix. Azure Blob Storage supports the SSH File Transfer Protocol (SFTP), enabling secure connections for file access, transfer, and management. However, attackers can exploit SFTP access in various ways. We'll explore how to detect compromised SFTP credentials and their malicious usage, including backdoor uploads and other nefarious activities. Additionally, we'll discuss methods to identify the creation of new SFTP accounts for sustaining persistent access.
Creation of SFTP account for Persistence
Attackers may create an SFTP account to maintain access to a target storage account. The SFTP account is local on the storage instance and is not subject to Azure RBAC permissions. The account is also unaffected in case of storage account access keys rotation. Hence, its a highly effective method for attaining persistence within containers (blobs) through SFTP access.
Detection
The below query helps you to detect if the sftp is enabled(created) on the storage account.
AzureActivity
| where OperationNameValue contains "MICROSOFT.STORAGE/STORAGEACCOUNTS/WRITE"
| extend StorageAccount=Properties_d.resource
| extend SftpEnabled=iff(isnull(Properties_d.requestbody),parse_json(tostring((parse_json(tostring(parse_json(Properties_d.responseBody))).properties))).isSftpEnabled,parse_json(tostring((parse_json(tostring(parse_json(Properties_d.requestbody))).properties))).isSftpEnabled)
| extend LocalUserEnabled=parse_json(tostring((parse_json(tostring(parse_json(Properties_d.responseBody))).properties))).isLocalUserEnabled
| where SftpEnabled==true
| project TimeGenerated, OperationNameValue, ActivityStatusValue,StorageAccount, ResourceGroup,Caller,CallerIpAddress, SftpEnabled,LocalUserEnabled, Properties_d
The query below aids in detecting if a local account was created during SFTP access, as well as the event of password regeneration for setting passwords for SFTP access.
AzureActivity
| where OperationNameValue in ("MICROSOFT.STORAGE/STORAGEACCOUNTS/LOCALUSERS/WRITE","MICROSOFT.STORAGE/STORAGEACCOUNTS/LOCALUSERS/REGENERATEPASSWORD/ACTION")
| extend UserAccount=Properties_d.resource
| project TimeGenerated, OperationNameValue, ActivityStatusValue,UserAccount, ResourceGroup,Caller,CallerIpAddress
Compromised SFTP Credentials Abuse.
Attackers may obtain and abuse credentials of an SFTP account as a means of gaining initial access. SFTP is a prevalent file transfer protocol between a client and a remote service. Once the user connects to the cloud storage service, the user can upload and download blobs and perform other operations that are supported by the protocol.
SFTP connection requires SFTP accounts which are managed locally in the storage service instance, including credentials in a form of passwords or key-pairs. Attackers exploit compromised passwords from these local accounts to gain unauthorized access to blob containers.
Detection
Here's a simple KQL query to look for any SFTP access from the logs:
StorageBlobLogs
| where Protocol=="SFTP"
| where StatusCode==200
| project TimeGenerated, AccountName, Protocol, OperationName, AuthenticationType, StatusCode, StatusText, Uri, CallerIpAddress, UserAgentHeader, RequesterObjectId
Here's a KQL query to look for failure attempts with wrong passwords.
StorageBlobLogs
| where Protocol=="SFTP"
| where OperationName=="SftpConnect"
| where StatusCode==403
| project TimeGenerated, AccountName, Protocol, OperationName, AuthenticationType, StatusCode, StatusText, Uri, CallerIpAddress, UserAgentHeader, RequesterObjectId
KQL query for detecting SFTP access using localuserpassword
StorageBlobLogs
| where Protocol=="SFTP"
| where StatusCode==200
| where AuthenticationType=="LocalUserPassword"
| project TimeGenerated, AccountName, Protocol, OperationName, AuthenticationType, StatusCode, StatusText, Uri, CallerIpAddress, UserAgentHeader, RequesterObjectId
Attackers may use storage services to store a malicious program or toolset that will be executed at later times during their operation. In addition, adversaries may exploit the trust between users and their organization’s Storage services by storing phishing content. Furthermore, storage services can be leveraged to park gathered intelligence that will be exfiltrated when terms suit the actor group.
领英推荐
Here's a KQL query to detect potential uploading of malicious backdoors using the SFTP put operation:
StorageBlobLogs
| where Protocol=="SFTP"
| where StatusCode==200
| where AuthenticationType=="LocalUserPassword"
| where OperationName in ('SftpCreate','SftpWrite','SftpCommit')
| project TimeGenerated, AccountName, Protocol, OperationName, AuthenticationType, StatusCode, StatusText, Uri, CallerIpAddress, UserAgentHeader, RequesterObjectId
Notable Fields from logs
The below image shows sample data from real-time logs, highlighting the OperationName and AuthenticationType fields.
Some common operationnames from the logs for associated sftp actions:
Upload new files (put operation)
Create Folder
Listing directory creates following actions
Change Directory
Download File using get command generates following events.
More info on SFTP operations
excerpt from azure docs
"Triggered when a blob is created or overwritten. Specifically, this event is triggered when clients use the put operation, which corresponds to the SftpCreate and SftpCommit APIs. An empty blob is created when the file is opened and the uploaded contents are committed when the file is closed. If the SFTP Resumable Uploads preview feature is enabled then some SftpWrite events will also be triggered during the upload."