About
An attacker who wants to steal data from a virtual machine can create a public sharing URL, and download it to their machine.
Understanding Impact
Business Impact
Disks typically contain sensitive data. When an attacker accesses the data they contain, this can lead to uncontrolled data leaks, especially considering this attack is straightforward to perform.
Technical Impact
When an attacker creates a Shared Access Signature (SAS), anyone with the URL can download the disk.
Detection
You can identify when a Shared Access Signature (SAS) is created for a disk, through the Azure Activity log event Microsoft.Compute/disks/beginGetAccess/action.
The field properties.entity contains the identifier of the disk, such as /subscriptions/<your-subscription-id/resourceGroups/<your-resource-group>/providers/Microsoft.Compute/disks/<disk-name>
Reproduce the attack
You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:
stratus detonate azure.exfiltration.disk-exportSee also the related documentation.
How Datadog can help
Cloud SIEM
Datadog Cloud SIEM detects this attack using the out-of-the-box rule "Azure disk export URI created".
References
Stratus Red Team - Export Disk Through SAS URL
stratus-red-team.cloud
PowerZure - Get-AzureVMDisk
powerzure.readthedocs.io
Generate a SAS URI for a VM image
azure documentation
Grant limited access to Azure Storage resources using shared access signatures (SAS)
azure documentation