AZT701.1 - SAS URI Generation: VM Disk SAS URI#
An adversary may create an SAS URI to download the disk attached to a virtual machine.
Resource
Virutal Machine Disk
Actions
- Microsoft.Compute/disks/beginGetAccess/action
Detections
Logs#
| Data Source | Operation Name | Action | Log Provider |
|---|---|---|---|
| Resource | Get Disk SAS URI | Microsoft.Compute/disks/BeginGetAccess/action | AzureActivity |
Queries#
| Platform | Query |
|---|---|
| Log Analytics | AzureActivity | where OperationNameValue == 'MICROSOFT.COMPUTE/DISKS/BEGINGETACCESS/ACTION' and ActivityStatusValue == 'Success' |
Azure Monitor Alert#
(https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FExfiltration%2FAZT701%2FAZT701-1.json)
Additional Resources
https://docs.microsoft.com/en-us/azure/marketplace/azure-vm-get-sas-uri