AZT604.2 - Azure Key Vault Dumping: Azure Key Vault Certificate Dump#
By accessing an Azure Key Vault, an adversary may dump any or all certificates.
Resource
Azure Key Vault
Actions
- Microsoft.KeyVault/vaults/secrets/getSecret/action
Examples
Detections
Detection Details#
By default, logging is not enabled on Key Vaults, meaning whenever a secret/key/certificate is accessed, it will not be logged unless Key Vault logging is turned on.
Logs#
Data Source | Operation Name | Action | Log Location |
---|---|---|---|
Azure Diagnostics | CertificateList | N/A | Log Analytics |
Azure Diagnostics | SecretGet | N/A | Log Analytics |
Queries#
Platform | Query |
---|---|
Log Analytics | AzureDiagnostics | where ResourceProvider =="MICROSOFT.KEYVAULT" and OperationName == "CertificateList" or OperationName == "SecretGet" |