Skip to content

AZT604.3 - Azure Key Vault Dumping: Azure Key Vault Key Dump#

By accessing an Azure Key Vault, an adversary may dump any or all public keys. Note that Private keys cannot be retrieved.

Resource

Azure Key Vault

Actions

  • Microsoft.KeyVault/vaults/keys/read

Detections

Detection Details#

By default, logging is not enabled on Key Vaults, meaning whenever a secret/key/certificate is accessed, it will not be logged unless Key Vault logging is turned on.

Logs#

Data Source Operation Name Action Log Location
Azure Diagnostics KeyList N/A Log Analytics

Queries#

Platform Query
Log Analytics AzureDiagnostics | where ResourceProvider =="MICROSOFT.KEYVAULT" and OperationName == "KeyList"