Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
For more information check:
Microsoft.Storage/storageAccounts/queueServices/queues/messages/readAn attacker with this permission can peek messages from an Azure Storage Queue. This allows the attacker to view the content of messages without marking them as processed or altering their state. This could lead to unauthorized access to sensitive information, enabling data exfiltration or gathering intelligence for further attacks.
Potential Impact: Unauthorized access to the queue, message exposure, or queue manipulation by unauthorized users or services.
Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/actionWith this permission, an attacker can retrieve and process messages from an Azure Storage Queue. This means they can read the message content and mark it as processed, effectively hiding it from legitimate systems. This could lead to sensitive data being exposed, disruptions in how messages are handled, or even stopping important workflows by making messages unavailable to their intended users.
Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/actionWith this permission, an attacker can add new messages to an Azure Storage Queue. This allows them to inject malicious or unauthorized data into the queue, potentially triggering unintended actions or disrupting downstream services that process the messages.
Microsoft.Storage/storageAccounts/queueServices/queues/messages/writeThis permission allows an attacker to add new messages or update existing ones in an Azure Storage Queue. By using this, they could insert harmful content or alter existing messages, potentially misleading applications or causing undesired behaviors in systems that rely on the queue.
Microsoft.Storage/storageAccounts/queueServices/queues/deleteThis permission allows an attacker to delete queues within the storage account. By leveraging this capability, an attacker can permanently remove queues and all their associated messages, causing significant disruption to workflows and resulting in critical data loss for applications that rely on the affected queues. This action can also be used to sabotage services by removing essential components of the system.
Microsoft.Storage/storageAccounts/queueServices/queues/messages/deleteWith this permission, an attacker can clear all messages from an Azure Storage Queue. This action removes all messages, disrupting workflows and causing data loss for systems dependent on the queue.
Microsoft.Storage/storageAccounts/queueServices/queues/writeThis permission allows an attacker to create or modify queues and their properties within the storage account. It can be used to create unauthorized queues, modify metadata, or change access control lists (ACLs) to grant or restrict access. This capability could disrupt workflows, inject malicious data, exfiltrate sensitive information, or manipulate queue settings to enable further attacks.
https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues
https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api
https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
