AZT701.2 - SAS URI Generation: Storage Account File Share SAS

By generating a Shared Access Signature (SAS) URI, an adversary can access a container in a Storage Account at any time.

Resource

Azure Storage Account

Actions

• Microsoft.Storage/storageAccounts/listAccountSas/action

Examples

Az PowerShellAzure CLIAzure Portal

• New-AzureStorageBlobSASToken

• New-AzStorageContainerSASToken

az storage blob generate-sas

Detections

Logs

Data Source	Operation Name	Action	Log Provider
Resource	N/A	N/A	StorageBlobLogs

Queries

Platform	Query
Log Analytics	StorageBlobLogs | where AuthorizationDetails has 'generateUserDelegationKey'

Azure Monitor Alert

Additional Resources

https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview