Skip to content

Microsoft.Storage/storageAccounts/regenerateKey/action

Azure

Microsoft.Storage/storageAccounts/regenerateKey/action

service: Azure - Azure Storage
techniques:

Event

Regenerates one of the two access keys for an Azure Storage account, invalidating the previous key.

Security Context

  • Regenerating storage account keys immediately invalidates the previous key, breaking all applications and services that were using it for authentication while granting the attacker the new key.
  • This technique serves a dual purpose: the adversary obtains valid credentials to access storage data while simultaneously disrupting legitimate access, combining credential theft with operational impact.

Log Source

Azure Activity Log

Sample Event

Adversarial. draco@fantasticlogs.cloud regenerates key1 on the production storage account flcoccamy001. Dual-purpose: (1) Draco gets a brand-new valid key in his hands, and (2) every legitimate application using key1 (the OCCAMY ingestion pipeline) immediately breaks until it picks up the new key. Maps cleanly to T1528 (Steal Application Access Token) + T1531 (Account Access Removal).

{
"authorization": {
"action": "Microsoft.Storage/storageAccounts/regenerateKey/action",
"scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Storage/storageAccounts/flcoccamy001"
},
"caller": "draco@fantasticlogs.cloud",
"channels": "Operation",
"claims": {
"appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"ipaddr": "203.0.113.66",
"name": "Draco Malfoy",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010",
"puid": "1003200000000666",
"http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud",
"http://schemas.microsoft.com/identity/claims/wids": "e8611ab8-c189-46e8-94e1-60213ab1f814",
"uti": "saRk225ExampleUtid01",
"ver": "1.0"
},
"correlationId": "90000000-0000-4000-8000-000100010111",
"description": "",
"eventDataId": "90000000-0000-4000-8000-000100011000",
"eventName": {
"value": "EndRequest",
"localizedValue": "End request"
},
"category": {
"value": "Administrative",
"localizedValue": "Administrative"
},
"eventTimestamp": "2026-04-15T17:59:18.5028207Z",
"id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Storage/storageAccounts/flcoccamy001/events/90000000-0000-4000-8000-000100011000/ticks/638798225585028207",
"level": "Informational",
"operationId": "90000000-0000-4000-8000-000100111001",
"operationName": {
"value": "Microsoft.Storage/storageAccounts/regenerateKey/action",
"localizedValue": "Regenerate Storage Account Keys"
},
"resourceGroupName": "rg-occamy-pipeline",
"resourceProviderName": {
"value": "Microsoft.Storage",
"localizedValue": "Microsoft.Storage"
},
"resourceType": {
"value": "Microsoft.Storage/storageAccounts",
"localizedValue": "Microsoft.Storage/storageAccounts"
},
"resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Storage/storageAccounts/flcoccamy001",
"status": {
"value": "Succeeded",
"localizedValue": "Succeeded"
},
"subStatus": {
"value": "OK",
"localizedValue": "OK (HTTP Status Code: 200)"
},
"submissionTimestamp": "2026-04-15T17:59:19.0421112Z",
"subscriptionId": "20000000-0000-4000-8000-000000000001",
"tenantId": "10000000-0000-4000-8000-000000000001",
"properties": {
"statusCode": "OK",
"serviceRequestId": null,
"eventCategory": "Administrative",
"entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Storage/storageAccounts/flcoccamy001/regenerateKey",
"message": "Microsoft.Storage/storageAccounts/regenerateKey/action",
"hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001",
"requestbody": "{\"keyName\":\"key1\"}"
},
"relatedEvents": []
}

MITRE ATT&CK Mapping

Tactics: Credential Access Impact

Techniques:
  • T1528 — Steal Application Access Token — Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
  • T1531 — Account Access Removal — Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials, revoked permissions for SaaS platforms such as Sharepoint) to remove access to accounts....