{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/azcopy.exe/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AzCopy.exe","StorageExplorer.exe"],"_cs_severities":["medium"],"_cs_tags":["data-exfiltration","azure-storage","cli","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on the anomalous execution of Windows Azure Storage utilities, specifically AzCopy.exe and StorageExplorer.exe, via the command-line interface (CLI). These utilities are designed for large-scale data transfers to and from Azure storage accounts. While legitimate administrative use is common, adversaries can exploit these tools post-compromise to exfiltrate sensitive data or stage files for further malicious activities. This allows attackers to leverage trusted cloud channels, making their actions blend with normal network traffic and evade traditional network-based defenses. Identifying unexpected users, unusual parent processes, or anomalous execution patterns involving these utilities is critical for detecting potential data breaches and unauthorized access attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through methods outside the scope of this detection (e.g., phishing, vulnerability exploitation).\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance on the compromised host to identify sensitive data.\u003c/li\u003e\n\u003cli\u003eAzCopy.exe or StorageExplorer.exe is executed via the command line.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the Azure Storage utility with appropriate credentials or access tokens, potentially obtained through credential theft.\u003c/li\u003e\n\u003cli\u003eData is staged in a local directory to prepare for exfiltration.\u003c/li\u003e\n\u003cli\u003eThe Azure Storage utility uploads the staged data to an attacker-controlled Azure storage account.\u003c/li\u003e\n\u003cli\u003eThe attacker verifies the data transfer to the external Azure storage account.\u003c/li\u003e\n\u003cli\u003eThe exfiltrated data is used for extortion, sale, or further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can result in the exfiltration of sensitive data, including intellectual property, financial records, and customer data. This can lead to significant financial losses, reputational damage, and legal liabilities. The use of trusted cloud channels makes detection more challenging, potentially allowing attackers to operate undetected for extended periods.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eAzure Storage Utility Execution via Suspicious Parent\u003c/code\u003e to detect AzCopy or StorageExplorer execution from unusual parent processes (e.g., scripting engines).\u003c/li\u003e\n\u003cli\u003eMonitor process execution logs for command-line invocations of \u003ccode\u003eAzCopy.exe\u003c/code\u003e and \u003ccode\u003eStorageExplorer.exe\u003c/code\u003e as covered by the rule \u003ccode\u003eAzure Storage Utility Execution via CLI\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, paying close attention to the user account, parent process, command-line arguments, and destination Azure storage account.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-azure-storage-cli-execution/","summary":"Adversaries may leverage Azure Storage utilities like AzCopy and Storage Explorer post-compromise to stage or extract sensitive data from endpoints, blending malicious activity with legitimate cloud traffic.","title":"Detection of Azure Storage Utility Execution via Command Line Interface","url":"https://feed.craftedsignal.io/briefs/2024-01-03-azure-storage-cli-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — AzCopy.exe","version":"https://jsonfeed.org/version/1.1"}