Attacking key vaults
What are key vaults
They are used by developers to manage credentials for applications.
Key vaults can contain:
Secrets
Certificates
Passwords
Attack
To perform this attack certain permissions are required:
Microsoft.Key/vaults/read
Microsoft.Key/vaults/secrets/read
Microsoft.Key/vaults/acessPolicies/write
Not only user accounts will have these permissions:
Service Principal accounts
Managed identities
Automation accounts
Attack methodology:
Enumerate all key vaults in environment
List keys and secrets within the Azure key vault
Compromise plaintext secrets and encryption keys
Maintain persistence by modifying the access policy via adding a malicious account
Enumerate key vaults:
Enumerate key/secrets in vault
Access Keys/Secrets
Locations:
Add user to modify/read keyvault
Detect
Diagnostic settings is not enabled by default. This means that operations like "get" and "list" are not logged by default.
What logs are available?
Azure Diagnostics
Activity Logs (only stores modification to access policy).
Azure Diagnostics:
Hunt for:
Keylist/KeyGet
KeyDecrypt
KeyListDeleted
SecretGet/SecretList
SecretRecover
SecretGetDeleted/SecretListDeleted
CertificateGet/CertificateList
CertificateRecover
CertificateGetDeleted
Activity Logs:
Mitigate
Perform audit on accounts to ensure the following roles are absolutely needed.
Microsoft.Key/vaults/read
Microsoft.Key/vaults/secrets/read
Microsoft.Key/vaults/acessPolicies/write
Audit Access Policy Creation
Ensure that diagnostic log settings are set and being pushed to a storage account, log analytic workspace, or a SIEM.
Last updated