Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Azure Files is a fully managed cloud file storage service that provides shared file storage accessible via standard SMB (Server Message Block) and NFS (Network File System) protocols. Although the main protocol used is SMB as NFS Azure file shares aren't supported for Windows (according to the docs). It allows you to create highly available network file shares that can be accessed simultaneously by multiple virtual machines (VMs) or on-premises systems, enabling seamless file sharing across environments.
Transaction Optimized: Optimized for transaction-heavy operations.
Hot: Balanced between transactions and storage.
Cool: Cost-effective for storage.
Premium: High-performance file storage optimized for low-latency and IOPS-intensive workloads.
Daily backup: A backup point is created each day at an indicated time (e.g. 19.30 UTC) and stored for from 1 to 200 days.
Weekly backup: A backup point is created each week at an indicated day and time (Sunday at 19.30) and stored for from 1 to 200 weeks.
Monthly backup: A backup point is created each month at an indicated day and time (e.g. first Sunday at 19.30) and stored for from 1 to 120 months.
Yearly backup: A backup point is created each year at an indicated day and time (e.g. January first Sunday at 19.30) and stored for from 1 to 10 years.
It's also possible to perform manual backups and snapshots at any time. Backups and snapshots are actually the same in this context.
On-premises AD DS Authentication: It uses on-premises Active Directory credentials synced with Microsoft Entra ID for identity-based access. It requires network connectivity to on-premises AD DS.
Microsoft Entra Domain Services Authentication: It leverages Microsoft Entra Domain Services (cloud-based AD) to provide access using Microsoft Entra credentials.
Microsoft Entra Kerberos for Hybrid Identities: It enables Microsoft Entra users to authenticate Azure file shares over the internet using Kerberos. It supports hybrid Microsoft Entra joined or Microsoft Entra joined VMs without requiring connectivity to on-premises domain controllers. But it does not support cloud-only identities.
AD Kerberos Authentication for Linux Clients: It allows Linux clients to use Kerberos for SMB authentication via on-premises AD DS or Microsoft Entra Domain Services.
By default az cli will use an account key to sign a key and perform the action. To use the Entra ID principal privileges use the parameters --auth-mode login --enable-file-backup-request-intent.
Use the param --account-key to indicate the account key to use
Use the param --sas-token with the SAS token to access via a SAS token
These are the scripts proposed by Azure at the time of the writing to connect a File Share:
You need to replace the <STORAGE-ACCOUNT>, <ACCESS-KEY> and <FILE-SHARE-NAME> placeholders.
Same as storage privesc:
Az - Storage PrivescSame as storage persistence:
Az - Storage PersistenceLearn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
