search

Attacking key vaults

hashtag
What are key vaults

They are used by developers to manage credentials for applications.

Key vaults can contain:

  • Secrets

  • Certificates

  • Passwords

LogoDetection and Compromise: Azure Key Vaults & Secretswww.inversecos.comchevron-right

hashtag
Attack

To perform this attack certain permissions are required:

  • Microsoft.Key/vaults/read

  • Microsoft.Key/vaults/secrets/read

  • Microsoft.Key/vaults/acessPolicies/write

Not only user accounts will have these permissions:

  • Service Principal accounts

  • Managed identities

  • Automation accounts

hashtag
Attack methodology:

  1. Enumerate all key vaults in environment

  2. List keys and secrets within the Azure key vault

  3. Compromise plaintext secrets and encryption keys

  4. Maintain persistence by modifying the access policy via adding a malicious account

hashtag
Enumerate key vaults:

hashtag
Enumerate key/secrets in vault

hashtag
Access Keys/Secrets

Locations:

hashtag
Add user to modify/read keyvault

hashtag
Detect

Diagnostic settings is not enabled by default. This means that operations like "get" and "list" are not logged by default.

hashtag
What logs are available?

  • Azure Diagnostics

  • Activity Logs (only stores modification to access policy).

hashtag
Azure Diagnostics:

Hunt for:

  • Keylist/KeyGet

  • KeyDecrypt

  • KeyListDeleted

  • SecretGet/SecretList

  • SecretRecover

  • SecretGetDeleted/SecretListDeleted

  • CertificateGet/CertificateList

  • CertificateRecover

  • CertificateGetDeleted

hashtag
Activity Logs:

hashtag
Mitigate

  1. Perform audit on accounts to ensure the following roles are absolutely needed.

  • Microsoft.Key/vaults/read

  • Microsoft.Key/vaults/secrets/read

  • Microsoft.Key/vaults/acessPolicies/write

  1. Audit Access Policy Creation

  2. Ensure that diagnostic log settings are set and being pushed to a storage account, log analytic workspace, or a SIEM.

PreviousGolden SAML TheftNextSkeleton Keys (PTA Abuse)

Last updated