Azure Storage Blob Retrieval via AzCopy

  1[metadata]
  2creation_date = "2025/10/02"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2025/10/02"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies successful GetBlob operations on Azure Storage Accounts using AzCopy user agent with SAS token
 11authentication. AzCopy is a command-line utility for copying data to and from Azure Storage. While legitimate for data
 12migration, adversaries may abuse AzCopy with compromised SAS tokens to exfiltrate data from Azure Storage Accounts. This
 13rule detects the first occurrence of GetBlob operations from a specific storage account using this pattern.
 14"""
 15false_positives = [
 16    "Legitimate data migration or backup operations using AzCopy with SAS tokens may trigger this rule.",
 17    "Automated scripts or processes that use AzCopy for routine data transfers from Azure Storage Accounts.",
 18    "DevOps or IT teams performing authorized data transfers or downloads from Azure Storage using AzCopy.",
 19]
 20from = "now-9m"
 21index = ["logs-azure.platformlogs-*"]
 22language = "kuery"
 23license = "Elastic License v2"
 24name = "Azure Storage Blob Retrieval via AzCopy"
 25note = """## Triage and analysis
 26
 27### Investigating Azure Storage Blob Retrieval via AzCopy
 28
 29Azure Storage Accounts provide cloud storage services for blobs, files, queues, and tables. Shared Access Signatures (SAS) tokens provide delegated access to resources in a storage account with specific permissions and time constraints. AzCopy is a Microsoft command-line utility designed for efficient data transfers to and from Azure Storage. While AzCopy is a legitimate tool, adversaries may abuse it with compromised SAS tokens to exfiltrate data from Azure Storage Accounts.
 30
 31### Possible investigation steps
 32- Review the `azure.platformlogs.properties.accountName` field to identify which storage account is being accessed and assess the sensitivity of data stored in that account.
 33- Examine the `azure.platformlogs.properties.objectKey` field to identify the specific blob(s) being retrieved. Determine if the accessed files contain sensitive or confidential data.
 34- Check the `source.address` field to identify the source IP address of the request. Investigate if this IP is unusual, unexpected, or originates from an unexpected network or geographic location.
 35- Review the `azure.platformlogs.uri` field to examine the SAS token parameters, including:
 36  - `se` (expiry time): Check when the SAS token expires
 37  - `sp` (permissions): Verify what permissions were granted (e.g., "rl" for read and list)
 38  - `sv` (API version): Note the storage service version being used
 39- Examine the `azure.platformlogs.identity.tokenHash` field to identify the specific SAS token signature being used. Correlate this with SAS token generation logs to determine when and how the token was created.
 40- Check the `azure.platformlogs.properties.responseBodySize` field to assess the volume of data being downloaded. Multiple GetBlob operations with large response sizes may indicate bulk data exfiltration.
 41- Search for related GetBlob operations from the same `source.address` or with the same `azure.platformlogs.identity.tokenHash` to identify patterns of systematic data retrieval.
 42- Review Azure Activity Logs for recent SAS token generation events or storage account key access operations that may indicate how the adversary obtained the credentials.
 43- Correlate this activity with ListBlobs or ListContainers operations from the same source, as adversaries often enumerate storage contents before exfiltration.
 44- Investigate the `azure.resource.group` field to understand which resource group the storage account belongs to and check for any recent security events or configuration changes in that resource group.
 45
 46### False positive analysis
 47- Routine data migration or backup operations using AzCopy with SAS tokens are common in enterprise environments. If this is expected behavior for the storage account, consider adding exceptions for specific accounts or IP ranges.
 48- DevOps pipelines or automated workflows may use AzCopy with SAS tokens for legitimate data transfers. Review the automation configuration and add exceptions if appropriate.
 49- Third-party services or partners may have authorized access to storage accounts using AzCopy and SAS tokens. Verify these relationships and create exceptions for known authorized sources.
 50
 51### Response and remediation
 52- If unauthorized access is confirmed, immediately revoke the compromised SAS token to prevent further data exfiltration.
 53- Review and rotate any additional SAS tokens that may have been compromised through the same attack vector.
 54- Assess the scope of data accessed or exfiltrated during the unauthorized GetBlob operations and determine if sensitive data was compromised.
 55- Implement additional monitoring and alerting for the affected storage account to detect any further suspicious activity.
 56- Review and strengthen SAS token generation policies, including implementing shorter expiration times and more restrictive permissions.
 57- Consider implementing Azure Storage firewall rules or private endpoints to restrict access to storage accounts from trusted networks only.
 58- Investigate how the SAS token was compromised and remediate the initial access vector to prevent future incidents.
 59- Document the incident and update security procedures to prevent similar compromises in the future.
 60"""
 61references = [
 62    "https://www.microsoft.com/en-us/security/blog/2025/08/27/storm-0501s-evolving-techniques-lead-to-cloud-based-ransomware/",
 63    "https://learn.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10",
 64    "https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview",
 65]
 66risk_score = 47
 67rule_id = "a8b3c4d5-e6f7-8901-a2b3-c4d5e6f78901"
 68setup = """#### Required Azure Storage Diagnostic Logs
 69
 70To ensure this rule functions correctly, the following diagnostic logs must be enabled for Azure Storage Accounts:
 71- StorageRead: This log captures all read operations performed on blobs in the storage account, including GetBlob operations. These logs should be streamed to the Event Hub used for the Azure integration configuration.
 72"""
 73severity = "medium"
 74tags = [
 75    "Domain: Cloud",
 76    "Domain: Storage",
 77    "Data Source: Azure",
 78    "Data Source: Azure Platform Logs",
 79    "Data Source: Azure Storage",
 80    "Use Case: Threat Detection",
 81    "Tactic: Exfiltration",
 82    "Resources: Investigation Guide",
 83]
 84timestamp_override = "event.ingested"
 85type = "new_terms"
 86
 87query = '''
 88event.dataset: azure.platformlogs and
 89    event.action: GetBlob and
 90    azure.platformlogs.identity.type: SAS and
 91    azure.platformlogs.properties.userAgentHeader: AzCopy* and
 92    azure.platformlogs.statusCode: 200
 93'''
 94
 95
 96[[rule.threat]]
 97framework = "MITRE ATT&CK"
 98[[rule.threat.technique]]
 99id = "T1567"
100name = "Exfiltration Over Web Service"
101reference = "https://attack.mitre.org/techniques/T1567/"
102[[rule.threat.technique.subtechnique]]
103id = "T1567.002"
104name = "Exfiltration to Cloud Storage"
105reference = "https://attack.mitre.org/techniques/T1567/002/"
106
107
108
109[rule.threat.tactic]
110id = "TA0010"
111name = "Exfiltration"
112reference = "https://attack.mitre.org/tactics/TA0010/"
113
114[rule.new_terms]
115field = "new_terms_fields"
116value = ["azure.platformlogs.properties.accountName"]
117[[rule.new_terms.history_window_start]]
118field = "history_window_start"
119value = "now-7d"