Techniques
Sample rules
Azure Storage Blob Retrieval via AzCopy
- source: elastic
- technicques:
- T1567
Description
Identifies successful GetBlob operations on Azure Storage Accounts using AzCopy user agent with SAS token authentication. AzCopy is a command-line utility for copying data to and from Azure Storage. While legitimate for data migration, adversaries may abuse AzCopy with compromised SAS tokens to exfiltrate data from Azure Storage Accounts. This rule detects the first occurrence of GetBlob operations from a specific storage account using this pattern.
Detection logic
event.dataset: azure.platformlogs and
event.action: GetBlob and
azure.platformlogs.identity.type: SAS and
azure.platformlogs.properties.userAgentHeader: AzCopy* and
azure.platformlogs.statusCode: 200