Impact

The adversary is trying to either steal, manipulate, or delete data. Exfiltration in Azure consists of using techniques to lift resource data from specific resources. This can be done by generating SAS URIs for unauthenticated & persistent downloads, or can be done by directly exfiltrating the data from the resource itself. Deletion can occur through various means.

ID		Name	Description
AZT701		SAS URI Generation	By generating an SAS URI for a resource, an adversary may extract the contents of that resource without authentication at any time.
	.001	VM Disk SAS URI	An adversary may create an SAS URI to download the disk attached to a virtual machine.
	.002	Storage Account File Share SAS	By generating a Shared Access Signature (SAS) URI, an adversary can access a container in a Storage Account at any time.
AZT702		File Share Mounting	An adversary may attach an Azure resource as a file share
	.001	Storage Account File Share NFS/SMB Mount	An adversary can generate a connection string to mount an Azure Storage Account File Share as an NFS or SMB share to their local machine.
AZT703		Replication	An adversary may exfiltrate data by replicating it.
	.001	Storage Account Replication	By setting up cross-tenant replication, an adversary may set up replication from one tenant's storage account to an extrenal tenant's storage account.
AZT704		Soft-Delete Recovery	An adversary may leverage resources found at a 'soft deletion' state, restore them and advance their attack by retrieving contents meant to be deleted
	.001	Key Vault	An adversary may recover a key vault object found in a 'soft deletion' state.
	.002	Storage Blob	An adversary may recover a storage blob found in a 'soft deletion' state.
	.003	Virtual Machine	An adversary may recover a virtual machine found in a 'soft deletion' state.
AZT705		Azure Backup Delete	An adversary may delete data within the Recovery Service Vault, which houses backup data.