Attacking key vaults
What are key vaults
They are used by developers to manage credentials for applications.
Key vaults can contain:
Secrets
Certificates
Passwords
Attack
To perform this attack certain permissions are required:
Microsoft.Key/vaults/read
Microsoft.Key/vaults/secrets/read
Microsoft.Key/vaults/acessPolicies/write
Not only user accounts will have these permissions:
Service Principal accounts
Managed identities
Automation accounts
Attack methodology:
Enumerate all key vaults in environment
List keys and secrets within the Azure key vault
Compromise plaintext secrets and encryption keys
Maintain persistence by modifying the access policy via adding a malicious account
Enumerate key vaults:
#list key vaults
az keyvault list
Enumerate key/secrets in vault
#list key/secrets names
az keyvault key list --vault-name VAULTNAME

Access Keys/Secrets
Locations:
az keyvault key show --vault-name VAULTNAME -n <Name of key>
Add user to modify/read keyvault
#add get/list permissions to account
az keyvault set-policy -n vaultname> --key-permission get list --upn account@onmicrosoft.com
Detect
Diagnostic settings is not enabled by default. This means that operations like "get" and "list" are not logged by default.
What logs are available?
Azure Diagnostics
Activity Logs (only stores modification to access policy).
Azure Diagnostics:
AzureDiagnostics| where ResourceProvider=="MICROSOFT.KEYVAULT"| summarize count() by CallerIPAddress, OperationName, requestUri_s

Hunt for:
Keylist/KeyGet
KeyDecrypt
KeyListDeleted
SecretGet/SecretList
SecretRecover
SecretGetDeleted/SecretListDeleted
CertificateGet/CertificateList
CertificateRecover
CertificateGetDeleted
Activity Logs:

Mitigate
Perform audit on accounts to ensure the following roles are absolutely needed.
Microsoft.Key/vaults/read
Microsoft.Key/vaults/secrets/read
Microsoft.Key/vaults/acessPolicies/write
Audit Access Policy Creation
Ensure that diagnostic log settings are set and being pushed to a storage account, log analytic workspace, or a SIEM.
Last updated