AZT701.1 - SAS URI Generation: VM Disk SAS URI

An adversary may create an SAS URI to download the disk attached to a virtual machine.

Resource

Virutal Machine Disk

Actions

• Microsoft.Compute/disks/beginGetAccess/action

Examples

Az PowerShellAzure CLIAzure Portal

• New-AzureStorageBlobSASToken

• New-AzStorageContainerSASToken

az storage blob generate-sas

Detections

Logs

Data Source	Operation Name	Action	Log Location
Resource	Get Disk SAS URI	Microsoft.Compute/disks/BeginGetAccess/action	Azure Activity Log

Queries

Log Analytics

|where OperationNameValue=="Microsoft.Compute/disks/BeginGetAccess/action"

Additional Resources

https://docs.microsoft.com/en-us/azure/marketplace/azure-vm-get-sas-uri