New Technique Releases

[openrec0n]

Shares new techniques added to Halberd's coverage

[openrec0n]

Technique: AzureDisableResourceDiagnosticLogging

Technique Display Name: Disable Resource Diagnostic Logging

Attack Surface: Azure

Details:

Disables diagnostic logging on Azure resources to evade detection during an attack. This defense evasion technique can selectively disable logging for specific resources or remove all diagnostic settings from a target resource. When diagnostic settings are disabled, critical activities like administrative actions, security events, and resource modifications are no longer captured in Azure Monitor logs, helping to operate without generating telemetry. Commonly used to hide malicious activities like key theft, permission changes, or data exfiltration.

[openrec0n]

Technique: AzureEnumerateStorageAccounts

Technique Display Name: Enumerate Storage Accounts

Attack Surface: Azure

Details:

Performs reconnaissance of Azure Storage accounts across all accessible subscriptions to identify potential data storage targets and security misconfigurations. This technique enumerates all storage accounts and collects critical security information including account names, resource IDs, and public access settings. The discovery of storage accounts is particularly valuable for attackers as these resources often contain sensitive business data, application backups, virtual machine disks, and other critical assets. The technique specifically identifies storage accounts with blob public access enabled, which may indicate security misconfigurations that could be exploited for unauthorized data access. The enumerated information serves as a foundation for other attack techniques like key extraction, public access exploitation, shared access signature (SAS) abuse, or container enumeration. Storage account naming patterns discovered through this technique can also reveal information about associated applications, environments, or organizational structure.

[openrec0n]

Technique: AzureScanLogicAppsForCredentials

Technique Display Name: Scan Logic Apps for Credentials

Attack Surface: Azure

Details:

Performs a deep inspection of Azure Logic Apps to discover exposed credentials and sensitive information. Enumerates all accessible Logic Apps in specified resource group or across entire subscription. Gathers complete workflow definitions, parameters, and connections. Performs pattern matching with configurable confidence levels (high/medium/low). The technique is particularly effective at finding credentials that are often embedded in Logic Apps during workflow automation configuration.

[openrec0n]

Technique: AzureExfilStorageAccountContainer

Technique Display Name: Exfil Storage Account Container

Attack Surface: Azure

Details:

Downloads and exfiltrates data from Azure Storage Account containers. The technique can access both public containers using container URLs and private containers using connection strings, making it versatile for different scenarios. It preserves the original blob names and hierarchical directory structure during download, maintaining data organization for later analysis. The technique implements automatic directory creation, error handling for failed downloads, and download tracking to provide accurate metrics. This technique is particularly effective for data theft as Storage Account containers often contain large volumes of business data, backups, application files, and other sensitive organizational assets.

[openrec0n]

Technique: AzureExfilVMDisk

Technique Display Name: Exfil VM Disk Data

Attack Surface: Azure

Details:

Exfiltrates Azure VM disk contents using a Shared Access Signature (SAS) URL. This technique supports large disk downloads with resume capability, handles network interruptions with configurable retries, implements block-based downloading to manage memory usage, maintains download state for recovery from failures and provides detailed progress tracking and completion percentage.