After attaining domain admin on-prem, Storm-0501 evaded visibility gaps (checking Defender services), moved laterally with Evil-WinRM, and performed DCSync. They compromised Entra Connect Sync servers, used the Directory Synchronization Account (DSA) to enumerate identities/resources with AzureHound, then located a synced non-human Global Administrator lacking MFA. By resetting the on-prem password (PHS sync) and registering MFA, they satisfied Conditional Access (including hybrid-joined device requirements), established cloud persistence by adding a malicious federated domain with AADInternals, and could mint SAML tokens to impersonate users.
With Global Admin, the actor invoked Microsoft.Authorization/elevateAccess/action to gain User Access Administrator, then mass-assigned Owner across subscriptions. Discovery focused on critical stores and guardrails. For defense evasion/exfiltration, they exposed Azure Storage publicly, listed access keys, and bulk-exfiltrated data with AzCopy. Impact included mass deletion of snapshots, restore points, storage accounts, and backup containers; removal of resource locks & blob immutability; and, where deletion failed, encryption via Key Vault–backed encryption scopes followed by key deletion (mitigated by Key Vault soft-delete). Extortion followed via Microsoft Teams from a compromised user.