Microsoft.Storage/storageAccounts/regenerateKey/action
Event
Regenerates one of the two access keys for an Azure Storage account, invalidating the previous key.
Security Context
- Regenerating storage account keys immediately invalidates the previous key, breaking all applications and services that were using it for authentication while granting the attacker the new key.
- This technique serves a dual purpose: the adversary obtains valid credentials to access storage data while simultaneously disrupting legitimate access, combining credential theft with operational impact.
Log Source
Azure Activity Log
Sample Event
MITRE ATT&CK Mapping
Tactics: Credential Access Impact
Techniques:
- T1528 — Steal Application Access Token — Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-b...
- T1531 — Account Access Removal — Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials, revoked permissions for SaaS platforms such as Sharepoint) to remove access to accounts.