An attacker who wants to steal data from a virtual machine can create a public sharing URL, and download it to their machine.
Disks typically contain sensitive data. When an attacker accesses the data they contain, this can lead to uncontrolled data leaks, especially considering this attack is straightforward to perform.
When an attacker creates a Shared Access Signature (SAS), anyone with the URL can download the disk.
You can identify when a Shared Access Signature (SAS) is created for a disk, through the Azure Activity log event
properties.entity contains the identifier of the disk, such as
Reproduce the attack
You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:
stratus detonate azure.exfiltration.disk-export
See also the related documentation.
How Datadog can help
Datadog Cloud SIEM detects this attack using the out-of-the-box rule "Azure disk export URI created".
Stratus Red Team - Export Disk Through SAS URL
PowerZure - Get-AzureVMDisk
Generate a SAS URI for a VM image
Grant limited access to Azure Storage resources using shared access signatures (SAS)