Skip to content

Export Disk Through SAS URL

idempotent

Platform: Azure

MITRE ATT&CK Tactics

  • Exfiltration

Description

Generate a public Shared Access Signature (SAS) URL to download an Azure disk.

Warm-up:

  • Create an Azure-managed disk

Detonation:

  • Generated a Shared Access Signature (SAS) URL for the disk

References:

Instructions

Detonate with Stratus Red Team
stratus detonate azure.exfiltration.disk-export

Detection

Identify Microsoft.Compute/disks/beginGetAccess/action events in Azure Activity logs.

Sample event (redacted for clarity):

{
  "resourceId": "/SUBSCRIPTIONS/<your-subscription-id>/RESOURCEGROUPS/RG-IKFFQ01Z/PROVIDERS/MICROSOFT.COMPUTE/DISKS/STRATUS-RED-TEAM-DISK",
  "evt": {
    "category": "Administrative",
    "outcome": "Success",
    "name": "MICROSOFT.COMPUTE/DISKS/BEGINGETACCESS/ACTION"
  },
  "level": "Information",
  "properties": {
    "hierarchy": "ecc2b97b-844b-414e-8123-b925dddf87ed/2fd72d85-b49f-4e19-b567-4a8cb7301e8b",
    "message": "Microsoft.Compute/disks/beginGetAccess/action",
    "eventCategory": "Administrative",
    "entity": "/subscriptions/<your-subscription-id/resourceGroups/rg-ikffq01z/providers/Microsoft.Compute/disks/stratus-red-team-disk"
  }
}