Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Methods for Detecting Exfiltration using AZcopy

Silver Contributor
1 Reply

@Dean Gross I haven't' actually tried this but I would think you could search the Event and SecurityEvent tables for the azcopy command and then filter based on the file you are looking for.  Of course, a smart person would rename the file before trying to upload it so you may want to see if the URL it is sending the data to is external to your company.

 

Take a look at this blog post to give you an idea on how to do this: Monitor and Hunting P0w3rSh3LL with Azure Sentinel (eshlomo.us)