Skip to content

Microsoft.Storage/storageAccounts/listKeys/action

Azure

Microsoft.Storage/storageAccounts/listKeys/action

service: Azure - Azure Storage
techniques:

Event

Lists the access keys for an Azure Storage account, exposing credentials that provide full data-plane access.

Security Context

  • Enumerating cloud resources helps adversaries map the environment to identify high-value targets, security controls, and potential pivot points.
  • Accessing stored credentials or secrets can provide adversaries with keys to additional systems, enabling lateral movement and privilege escalation.
  • Cloud storage services are frequent targets for data theft, as they often contain sensitive files, backups, and application data.

Log Source

Azure Activity Log

Sample Event

Adversarial. draco@fantasticlogs.cloud calls listKeys on the production storage account flcoccamy001 (before destroying it), retrieving key1 and key2. Possessing these keys lets the attacker authenticate to the storage account at the data plane (REST API) without any further Entra ID involvement — and key validity persists until the keys are explicitly regenerated.

{
"authorization": {
"action": "Microsoft.Storage/storageAccounts/listKeys/action",
"scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Storage/storageAccounts/flcoccamy001"
},
"caller": "draco@fantasticlogs.cloud",
"channels": "Operation",
"claims": {
"appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"ipaddr": "203.0.113.66",
"name": "Draco Malfoy",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010",
"puid": "1003200000000666",
"http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud",
"http://schemas.microsoft.com/identity/claims/wids": "e8611ab8-c189-46e8-94e1-60213ab1f814",
"uti": "saLk224ExampleUtid01",
"ver": "1.0"
},
"correlationId": "90000000-0000-4000-8000-000100010101",
"description": "",
"eventDataId": "90000000-0000-4000-8000-000100010110",
"eventName": {
"value": "EndRequest",
"localizedValue": "End request"
},
"category": {
"value": "Administrative",
"localizedValue": "Administrative"
},
"eventTimestamp": "2026-04-15T17:58:42.4218107Z",
"id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Storage/storageAccounts/flcoccamy001/events/90000000-0000-4000-8000-000100010110/ticks/638798225224218107",
"level": "Informational",
"operationId": "90000000-0000-4000-8000-000100111000",
"operationName": {
"value": "Microsoft.Storage/storageAccounts/listKeys/action",
"localizedValue": "List Storage Account Keys"
},
"resourceGroupName": "rg-occamy-pipeline",
"resourceProviderName": {
"value": "Microsoft.Storage",
"localizedValue": "Microsoft.Storage"
},
"resourceType": {
"value": "Microsoft.Storage/storageAccounts",
"localizedValue": "Microsoft.Storage/storageAccounts"
},
"resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Storage/storageAccounts/flcoccamy001",
"status": {
"value": "Succeeded",
"localizedValue": "Succeeded"
},
"subStatus": {
"value": "OK",
"localizedValue": "OK (HTTP Status Code: 200)"
},
"submissionTimestamp": "2026-04-15T17:58:43.0182701Z",
"subscriptionId": "20000000-0000-4000-8000-000000000001",
"tenantId": "10000000-0000-4000-8000-000000000001",
"properties": {
"statusCode": "OK",
"serviceRequestId": null,
"eventCategory": "Administrative",
"entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Storage/storageAccounts/flcoccamy001/listKeys",
"message": "Microsoft.Storage/storageAccounts/listKeys/action",
"hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001"
},
"relatedEvents": []
}

MITRE ATT&CK Mapping

Tactics: Credential Access Discovery

Techniques:
  • T1552 — Unsecured Credentials — Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Shell History](https://attack.mitre.org/techniques/T1552/003)), operating system or applica...
  • T1526 — Cloud Service Discovery — An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can...