AZT604.3 - Azure Key Vault Dumping: Azure Key Vault Key Dump#
By accessing an Azure Key Vault, an adversary may dump any or all public keys. Note that Private keys cannot be retrieved.
Resource
Azure Key Vault
Actions
- Microsoft.KeyVault/vaults/keys/read
Examples
Detections
Detection Details#
By default, logging is not enabled on Key Vaults, meaning whenever a secret/key/certificate is accessed, it will not be logged unless Key Vault logging is turned on.
Logs#
Data Source | Operation Name | Action | Log Location |
---|---|---|---|
Azure Diagnostics | KeyList | N/A | Log Analytics |
Queries#
Platform | Query |
---|---|
Log Analytics | AzureDiagnostics | where ResourceProvider =="MICROSOFT.KEYVAULT" and OperationName == "KeyList" |