AZT704.3 - Soft-Delete Recovery: Recovery Services Vault#

An adversary may recover a virtual machine object found in a 'soft deletion' state.

Resource

Azure Recovery Services Vault

Actions

Microsoft.RecoveryServices/Vaults/backupconfig/write

Examples

Az PowerShellAzure REST APIAzure Portal

Undo-AzRecoveryServicesBackupItemDeletion

Invoke-RESTMethod -body $body -Method PUT -Uri 'https://management.azure.com/Subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testVaultRG/providers/Microsoft.RecoveryServices/vaults/testVault/backupFabrics/Azure/protectionContainers/iaasvmcontainer;iaasvmcontainerv2;testRG;testVM/protectedItems/vm;iaasvmcontainerv2;testRG;testVM?api-version=2019-05-13'

$Body ={"properties": {"protectedItemType": "Microsoft.Compute/virtualMachines","protectionState": "ProtectionStopped","sourceResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testRG/providers/Microsoft.Compute/virtualMachines/testVM","isRehydrate": true}}

portal

Detections

Logs#

Data Source	Operation Name	Action	Log Location
Resource	TBD	TBD	Log Analytics

Additional Resources

https://docs.microsoft.com/en-us/powershell/module/az.recoveryservices/undo-azrecoveryservicesbackupitemdeletion?view=azps-8.2.0