Azure disk snapshot export URI generated

ID:azure_disk_snapshot_export_uri

Data type:Azure Activity

Severity:

Medium

MITRE ATT&CK:TA0010:T1537

Description

AlphaSOC detected the generation of an export URI for an Azure managed disk or snapshot. Azure provides the Microsoft.Compute/disks/beginGetAccess/action and Microsoft.Compute/snapshots/BeginGetAccess/action operations to generate time-limited Shared Access Signature (SAS) URIs that enable direct download access to disk or snapshot data. Threat actors may exploit this functionality to exfiltrate entire disk images containing sensitive data, credentials, encryption keys, application secrets, or intellectual property. By generating a SAS URI, attackers can download disk data directly to external infrastructure, bypassing additional security controls.

Impact

Exfiltration of Azure managed disks or snapshots provides threat actors with complete access to all data stored on virtual machines or volumes. Attackers can extract the entire contents of the managed disk (or snapshot), including all files, operating system data, application binaries, configuration files, databases, credentials, and any other sensitive or proprietary data stored on the virtual machine's volume(s). The downloaded disk images can be mounted and analyzed offline in attacker-controlled environments, enabling comprehensive reconnaissance or credential harvesting without triggering additional alerts in the victim's Azure environment.

Severity

Severity	Condition
Medium	Azure disk (snapshot) export URI generated

Investigation and Remediation

Review Azure Activity logs to identify the Microsoft.Compute/disks/beginGetAccess/action or Microsoft.Compute/snapshots/BeginGetAccess/action event and examine the target disk or snapshot resource. Identify the principal (user, service principal, or managed identity) that initiated the operation and verify the source IP address and user agent string. Determine whether the activity originated from expected infrastructure, authorized administrators, or legitimate backup systems.

If the activity was unauthorized, immediately revoke the generated SAS URI by calling the corresponding endGetAccess action on the affected disk or snapshot resource. Disable or rotate credentials for the compromised principal and review Azure RBAC assignments to remove excessive permissions. If exfiltration likely occurred, treat all data on the affected disk as compromised, including rotating all credentials, API keys, and secrets that may have been stored on the system. Review audit logs for the affected subscription to identify any related suspicious activities such as snapshot creation, disk cloning, or role assignment modifications. Implement Azure Policy to restrict disk export operations to specific roles or require approval workflows for sensitive resources.

Known False Positives

• Authorized backup and disaster recovery solutions generating export URIs for offsite storage
• Managed service providers performing routine maintenance or data recovery operations

Further Reading

• Export a managed disk to a storage account
• Grant access to a managed disk
• Azure managed disk security