Attacking key vaults

What are key vaults

They are used by developers to manage credentials for applications.

Key vaults can contain:

  • Secrets

  • Certificates

  • Passwords

LogoDetection and Compromise: Azure Key Vaults & Secretswww.inversecos.com

Attack

To perform this attack certain permissions are required:

  • Microsoft.Key/vaults/read

  • Microsoft.Key/vaults/secrets/read

  • Microsoft.Key/vaults/acessPolicies/write

Not only user accounts will have these permissions:

  • Service Principal accounts

  • Managed identities

  • Automation accounts

Attack methodology:

  1. Enumerate all key vaults in environment

  2. List keys and secrets within the Azure key vault

  3. Compromise plaintext secrets and encryption keys

  4. Maintain persistence by modifying the access policy via adding a malicious account

Enumerate key vaults:

Enumerate key/secrets in vault

Access Keys/Secrets

Locations:

Add user to modify/read keyvault

Detect

Diagnostic settings is not enabled by default. This means that operations like "get" and "list" are not logged by default.

What logs are available?

  • Azure Diagnostics

  • Activity Logs (only stores modification to access policy).

Azure Diagnostics:

Hunt for:

  • Keylist/KeyGet

  • KeyDecrypt

  • KeyListDeleted

  • SecretGet/SecretList

  • SecretRecover

  • SecretGetDeleted/SecretListDeleted

  • CertificateGet/CertificateList

  • CertificateRecover

  • CertificateGetDeleted

Activity Logs:

Mitigate

  1. Perform audit on accounts to ensure the following roles are absolutely needed.

  • Microsoft.Key/vaults/read

  • Microsoft.Key/vaults/secrets/read

  • Microsoft.Key/vaults/acessPolicies/write

  1. Audit Access Policy Creation

  2. Ensure that diagnostic log settings are set and being pushed to a storage account, log analytic workspace, or a SIEM.

PreviousGolden SAML TheftNextSkeleton Keys (PTA Abuse)

Last updated