diff --git a/src/pentesting-cloud/azure-security/az-services/az-storage.md b/src/pentesting-cloud/azure-security/az-services/az-storage.md
index 42b9be4ce..d922e1355 100644
--- a/src/pentesting-cloud/azure-security/az-services/az-storage.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-storage.md
@@ -65,6 +65,30 @@ If "Allow Blob public access" is **enabled** (disabled by default), when creatin
+#### Auditing anonymous blob exposure
+
+- **Locate storage accounts** that can expose data: `az storage account list | jq -r '.[] | select(.properties.allowBlobPublicAccess==true) | .name'`. If `allowBlobPublicAccess` is `false` you cannot turn containers public.
+- **Inspect risky accounts** to confirm the flag and other weak settings: `az storage account show --name --query '{allow:properties.allowBlobPublicAccess, minTls:properties.minimumTlsVersion}'`.
+- **Enumerate container-level exposure** where the flag is enabled:
+
+```bash
+az storage container list --account-name \
+ --query '[].{name:name, access:properties.publicAccess}'
+```
+
+ - `"Blob"`: anonymous reads allowed **only when blob name is known** (no listing).
+ - `"Container"`: anonymous **list + read** of every blob.
+ - `null`: private; authentication required.
+- **Prove access** without credentials:
+ - If `publicAccess` is `Container`, anonymous listing works: `curl "https://.blob.core.windows.net/?restype=container&comp=list"`.
+ - For both `Blob` and `Container`, anonymous blob download works when the name is known:
+
+```bash
+az storage blob download -c -n --account-name --file /dev/stdout
+# or via raw HTTP
+curl "https://.blob.core.windows.net//"
+```
+
### Connect to Storage
If you find any **storage** you can connect to you could use the tool [**Microsoft Azure Storage Explorer**](https://azure.microsoft.com/es-es/products/storage/storage-explorer/) to do so.
@@ -222,6 +246,9 @@ Azure Blob Storage now supports the SSH File Transfer Protocol (SFTP), enabling
{{#tabs }}
{{#tab name="az cli" }}
+
+az cli enumeration
+
```bash
# Get storage accounts
az storage account list #Get the account name from here
@@ -339,11 +366,16 @@ az storage account local-user list \
--resource-group
```
+
+
{{#endtab }}
{{#tab name="Az PowerShell" }}
-```bash
+
+Az PowerShell enumeration
+
+```powershell
# Get storage accounts
Get-AzStorageAccount | fl
# Get rules to access the storage account
@@ -401,6 +433,8 @@ New-AzStorageBlobSASToken `
-ExpiryTime (Get-Date "2024-12-31T23:59:00Z")
```
+
+
{{#endtab }}
{{#endtabs }}
@@ -433,6 +467,10 @@ az-file-shares.md
- [https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
- [https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview](https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview)
- [https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support](https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support)
+- [Holiday Hack Challenge 2025: Blob Storage (Storage Secrets)](https://0xdf.gitlab.io/holidayhack2025/act1/blob-storage)
+- [https://learn.microsoft.com/en-us/cli/azure/storage/account](https://learn.microsoft.com/en-us/cli/azure/storage/account)
+- [https://learn.microsoft.com/en-us/cli/azure/storage/container](https://learn.microsoft.com/en-us/cli/azure/storage/container)
+- [https://learn.microsoft.com/en-us/cli/azure/storage/blob](https://learn.microsoft.com/en-us/cli/azure/storage/blob)
{{#include ../../../banners/hacktricks-training.md}}
