Skip to content

AZT604.1 - Azure Key Vault Dumping: Azure Key Vault Secret Dump#

By accessing an Azure Key Vault, an adversary may dump any or all secrets.

Resource

Azure Key Vault

Actions

  • Microsoft.KeyVault/vaults/secrets/getSecret/action

Examples

Get-AzKeyVaultSecret

az keyvault secret

GET {vaultBaseUrl}/secrets/{secret-name}/{secret-version}?api-version=7.3

secrets

Detections

Detection Details#

By default, logging is not enabled on Key Vaults, meaning whenever a secret/key/certificate is accessed, it will not be logged unless Key Vault logging is turned on.

Logs#

Data Source Operation Name Action Log Provider
Resource SecretGet N/A AzureDiagnostics

Queries#

Platform Query
Log Analytics AzureDiagnostics | where OperationName == 'SecretList'

Azure Monitor Alert#

Deploy to Azure

Additional Resources

https://docs.microsoft.com/en-us/azure/key-vault/general/logging?WT.mc_id=Portal-fx&tabs=Vault