Microsoft.Storage/storageAccounts/listKeys/action
Azure
Microsoft.Storage/storageAccounts/listKeys/action
Event
Lists the access keys for an Azure Storage account, exposing credentials that provide full data-plane access.
Security Context
- Enumerating cloud resources helps adversaries map the environment to identify high-value targets, security controls, and potential pivot points.
- Accessing stored credentials or secrets can provide adversaries with keys to additional systems, enabling lateral movement and privilege escalation.
- Cloud storage services are frequent targets for data theft, as they often contain sensitive files, backups, and application data.
Log Source
Azure Activity Log
Sample Event
Adversarial. draco@fantasticlogs.cloud calls listKeys on the production storage account flcoccamy001 (before destroying it), retrieving key1 and key2. Possessing these keys lets the attacker authenticate to the storage account at the data plane (REST API) without any further Entra ID involvement — and key validity persists until the keys are explicitly regenerated.
{ "authorization": { "action": "Microsoft.Storage/storageAccounts/listKeys/action", "scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Storage/storageAccounts/flcoccamy001" }, "caller": "draco@fantasticlogs.cloud", "channels": "Operation", "claims": { "appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46", "ipaddr": "203.0.113.66", "name": "Draco Malfoy", "http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010", "puid": "1003200000000666", "http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud", "http://schemas.microsoft.com/identity/claims/wids": "e8611ab8-c189-46e8-94e1-60213ab1f814", "uti": "saLk224ExampleUtid01", "ver": "1.0" }, "correlationId": "90000000-0000-4000-8000-000100010101", "description": "", "eventDataId": "90000000-0000-4000-8000-000100010110", "eventName": { "value": "EndRequest", "localizedValue": "End request" }, "category": { "value": "Administrative", "localizedValue": "Administrative" }, "eventTimestamp": "2026-04-15T17:58:42.4218107Z", "id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Storage/storageAccounts/flcoccamy001/events/90000000-0000-4000-8000-000100010110/ticks/638798225224218107", "level": "Informational", "operationId": "90000000-0000-4000-8000-000100111000", "operationName": { "value": "Microsoft.Storage/storageAccounts/listKeys/action", "localizedValue": "List Storage Account Keys" }, "resourceGroupName": "rg-occamy-pipeline", "resourceProviderName": { "value": "Microsoft.Storage", "localizedValue": "Microsoft.Storage" }, "resourceType": { "value": "Microsoft.Storage/storageAccounts", "localizedValue": "Microsoft.Storage/storageAccounts" }, "resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Storage/storageAccounts/flcoccamy001", "status": { "value": "Succeeded", "localizedValue": "Succeeded" }, "subStatus": { "value": "OK", "localizedValue": "OK (HTTP Status Code: 200)" }, "submissionTimestamp": "2026-04-15T17:58:43.0182701Z", "subscriptionId": "20000000-0000-4000-8000-000000000001", "tenantId": "10000000-0000-4000-8000-000000000001", "properties": { "statusCode": "OK", "serviceRequestId": null, "eventCategory": "Administrative", "entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Storage/storageAccounts/flcoccamy001/listKeys", "message": "Microsoft.Storage/storageAccounts/listKeys/action", "hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001" }, "relatedEvents": []}MITRE ATT&CK Mapping
Tactics: Credential Access Discovery
Techniques:
- T1552 — Unsecured Credentials — Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Shell History](https://attack.mitre.org/techniques/T1552/003)), operating system or applica...
- T1526 — Cloud Service Discovery — An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can...