Skip to content
Threat Feed
medium advisory

Azure Key Vault Unusual Secret Key Usage

Detects unusual secret, key, or certificate retrieval operations from Azure Key Vault by a user principal that has not been seen previously, potentially indicating unauthorized access attempts.

This detection identifies anomalous access patterns to Azure Key Vault, a critical service for securely storing secrets, keys, and certificates in Azure environments. Specifically, it focuses on the retrieval of sensitive information (secrets, keys, certificates) by user principals that have not historically accessed the resource. The rule leverages the new_terms aggregation to identify previously unseen user principal names (UPNs) accessing Key Vault resources. This aims to uncover potential credential compromise, insider threats, or the use of rogue applications to exfiltrate sensitive data. This activity can lead to data breaches or unauthorized access to critical systems and resources within the Azure environment. The rule is based on the Elastic detection rule "Azure Key Vault Unusual Secret Key Usage", version updated on 2026-04-10.

Attack Chain

  1. An attacker gains unauthorized access to an Azure account or obtains valid credentials through phishing, credential stuffing, or other means (Initial Access).
  2. The attacker leverages the compromised credentials to authenticate to the Azure environment.
  3. The attacker enumerates available Azure Key Vault resources to identify potential targets (Discovery).
  4. The attacker attempts to retrieve secrets, keys, or certificates from a Key Vault using the compromised credentials (Credential Access). The specific actions observed include "VaultGet", "KeyGet", "SecretGet", and "CertificateGet".
  5. If successful, the attacker gains access to sensitive information stored within the Key Vault, such as API keys, database passwords, or encryption keys (Credential Access).
  6. The attacker uses the retrieved credentials to further compromise other systems or resources within the Azure environment, such as databases, applications, or virtual machines (Lateral Movement, Privilege Escalation).
  7. The attacker may exfiltrate the retrieved secrets and use them to gain access to external systems or services (Exfiltration).

Impact

Successful exploitation can lead to the compromise of sensitive data stored within Azure Key Vault, including API keys, database passwords, and encryption keys. This can result in unauthorized access to critical systems and resources, data breaches, and financial losses. The number of victims and sectors targeted depends on the specific Key Vault resources compromised and the systems that rely on those resources.

Recommendation

  • Enable Azure Key Vault Diagnostic Logs, specifically the AuditEvent log, and stream them to a SIEM or monitoring platform to capture all read and write operations (Setup section in Content).
  • Deploy the Sigma rule "Azure Key Vault Unusual Secret Key Usage" to detect unusual access patterns to Azure Key Vault resources (see Rules section).
  • Investigate any alerts generated by the Sigma rule, focusing on identifying the user principal making the retrieval requests and the specific Key Vault being accessed (see Investigation steps in Content).
  • Implement stricter access controls and policies for Key Vaults to limit excessive retrievals and ensure that only authorized users and applications can access sensitive keys and secrets (see Response and remediation in Content).

Detection coverage 2

Azure Key Vault Unusual Secret Key Usage

medium

Detects unusual secret or key retrieval operations from Azure Key Vault by a user principal that has not been seen previously.

sigma tactics: credential_access techniques: T1555, T1555.006 sources: cloudtrail, azure, keyvault

Azure Key Vault Secret Retrieval by Application

low

Detects secret retrieval operations from Azure Key Vault by specific application IDs.

sigma tactics: credential_access techniques: T1555, T1555.006 sources: cloudtrail, azure, keyvault

Detection queries are available on the platform. Get full rules →