Top Ad unit 728 × 90

Latest News

random

Daily Blog #694: AZCopy and SAS Tokens

Hello Reader,
     If you read #DFIR twitter daily, I mean who doesn't!, then you likely saw this post by Jordan Barth






Let me explain what Jordan's talking about and  why you should care if your doing DFIR in Azure.

 Full disclosure Jordan is a fellow KPMGer and he knows his Azure.

So first, AZCopy is an utility created by Microsoft for moving data to or from Azure. You can read more about it here: https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10

Second SAS urls or SAS tokens stand for Shared Access Signature tokens which allow you to provide access to a resource with a single URL rather than providing login credentials. This let's you take let's say a compromised VHD and provide read only access to it even if:
1. You're not in the same subscription/tenant
2. You're not in the same organization
3. You don't have an account in that tenant

Just like in Google Docs you can provide a 'edit' or 'view' link to others without adding them to your account, you can do the same with Azure resources. This allows you to quickly allow let's say a IR tenant read only access to your production tenant without typing off an attacker anything has happened or starting up new instances in the compromised environment.

What Jordan is talking about though is not the security and convenience of AZCopy with SAS tokens, but rather the speed you will get when you make use of the Azure API rather than the browser. I'm sure this is even faster within Azure itself to make copies.

So make sure you know your cloud environment and start getting things in place to allow you to test and simulate incidents before you need them!
Daily Blog #694: AZCopy and SAS Tokens Reviewed by David Cowen on May 05, 2020 Rating: 5

No comments:

All Rights Reserved by Hacking Exposed Computer Forensics Blog © 2014 - 2020
Powered By Blogger, Designed by Sweetheme

Contact Form

Name

Email *

Message *

Powered by Blogger.