AZT605.3 - Resource Secret Reveal: Resource Group Deployment History Secret Dump

By accessing deployment history of a Resource Group, secrets used in the ARM template may be revealed.

Resource

Resource Group

Actions

• Microsoft.Resources/deployments/read
• Microsoft.Resources/subscriptions/resourceGroups/read

Examples

Az PowerShellAzure CLIAzure Portal

Get-AzResourceGroupDeployment

• az deployment group list
• az deployment group export

Detections

Detection Details

When a template is used, the parameters from the template are reflected on the 'Input' page when viewing the deployment detail in the Azure portal. The parameter key value's are shown unless the key 'SecureString' is used. If 'SecureString' is not used, then the value will show in the deployment input details.

Logs

Data Source	Operation Name	Action	Log Provider
Resource	N/A	N/A	AzureActivity

Additional Resources

https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-history?tabs=azure-portal