Tags
Cloud
ATT&CK Tactic
Exfiltration (TA0010)
Last edited
Jan 18, 2024 1:25 PM
Status
Stub
In Azure it is possible to export a disk through SAS URL. A malicious actor can leverage the Azure Managed Disk Import / Export feature to exfiltrate data outside of the organization. The attacker will generate a time bound Shared Access Signature (SAS) URI for unattached managed disks and snapshots. By default, in Azure all the Azure Disks are configured with a public endpoint enabled.