Clean up logging of Storage Account SAS Keys

Brad Hemsley

May 01, 2024 11:32

This feature request is off the back of support ticket #78931.

To summarise, we are receiving Defender for Cloud alerts for plain text secrets (SAS Tokens) stored in log files and PowerShell scripts on our session hosts.

It would be ideal if these SAS Tokens were not stored in plain text, and or the logs/scripts are sanitised.

Comments (2 comments)

Toby Skerritt

May 01, 2024 11:41 (Edited May 01, 2024 11:42)

Hi Brad Hemsley - thanks for raising this and we will certainly investigate options. Specifically, on the attack path analysis risks listed, please can you confirm if these are all pointing to the Winget storage account? We do have plaintext secrets in the scripts, however these are unique credentials and this key has read only access to the SAS url with authorized access to a single file, so we considered this issue to be mitigated by design. There are 3 similar activities in UAM scenarios, the details are listed below.

Receiving SAS url as .JSON with script parameters - Read only permission
Downloading app binary through winget internal logic - Read only permission
Uploading UAM script execution result to temporary container - Full access to blob, however this is deleted after read and recorded to our DB (so unique per-instance).

I'll raise the other concerns with the development team. Thanks.

Brad Hemsley

May 02, 2024 01:33

Toby Skerritt - Thanks for the quick response.

From our initial investigation, it appears as the Winget logs posted above all point to the Winget repository. I will have a thorough read today and get back to you with something more concrete.

Regards

Brad

Please sign in to leave a comment.