AZT604.2 - Azure Key Vault Dumping: Azure Key Vault Certificate Dump#

By accessing an Azure Key Vault, an adversary may dump any or all certificates.

Resource

Azure Key Vault

Actions

Microsoft.KeyVault/vaults/secrets/getSecret/action

Examples

Az PowerShellAzure CLIAzure REST APIAzure Portal

Get-AzKeyVaultCertificate

az keyvault certificate

GET {vaultBaseUrl}/certificates/{certificate-name}/{certificate-version}?api-version=7.3

certs

Detections

Detection Details#

By default, logging is not enabled on Key Vaults, meaning whenever a secret/key/certificate is accessed, it will not be logged unless Key Vault logging is turned on.

Logs#

Data Source	Operation Name	Action	Log Location
Azure Diagnostics	CertificateList	N/A	Log Analytics
Azure Diagnostics	SecretGet	N/A	Log Analytics

Queries#

Platform	Query
Log Analytics	`AzureDiagnostics \| where ResourceProvider =="MICROSOFT.KEYVAULT" and OperationName == "CertificateList" or OperationName == "SecretGet"`

Additional Resources

https://docs.microsoft.com/en-us/azure/key-vault/general/logging?WT.mc_id=Portal-fx&tabs=Vault