Detection and Compromise: Azure Key Vaults & Secrets
Step 2: List the keys and secrets stored within the Azure Key Vault
To pillage/compromise the credentials and keys stored within each key vault, an attacker needs to know the names of the keys/secrets that are stored. To list the keys and secrets within a vault, an attacker also needs to be delegated the permission of Microsoft.KeyVault/vaults/secrets/read.
There are two options for reading from an Azure vault – they are to read the “keys” or to read the “secrets”. The ID for all Azure Key Vaults follows the following convention of:
In the screenshot below, you can see I have enumerated the secrets stored inside the vault “Purplehazee”. There is one key stored within this vault named “DontSeeMe”.
If you do not enable diagnostic logging on Azure Key Vaults, you will not get many interesting logs. Given all the actions I have taken above including enumerating the keys/secrets and viewing them – none of these generate logs in the Azure Vault activity logs! The only action that generates logs in the Activity Logs is modification of the access policies.
Azure Activity Logs (I don’t recommend this method for detection)
The activity logs will store information relating to set-up of the Azure Vault, deletion of the vault and other administrative changes such as modification of the access policy. It will not contain contextual information of other attack actions i.e. viewing / access to secrets and keys. As such, this is not my recommended detection approach. I strongly recommend that diagnostic logging is enabled for proper telemetry.
During this attack flow, I modified the access policy by adding a malicious user “Bananaboy” to the Azure Vault “purplehazee”. This activity was recorded in the Azure Activity Log. To hunt for this entry – I would recommend looking for:
- Changed Property – properties.accessPolicies[id]
The “ID” that is contained within this log entry pertains to the user that was added. You will need to correlate this with the UPN of the user / service principal that was added for this to make more sense.