{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/azure-key-vault/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Key Vault"],"_cs_severities":["medium"],"_cs_tags":["azure","keyvault","credential-access","threat-detection"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis rule identifies excessive secret or key retrieval operations from Azure Key Vault, a cloud service safeguarding encryption keys and secrets. The rule detects instances where a user principal retrieves secrets or keys from Azure Key Vault multiple times within a short timeframe, potentially indicating abuse or unauthorized access attempts. The rule focuses on high-frequency retrieval operations that deviate from normal user behavior, suggesting credential harvesting or misuse of sensitive information. An adversary might abuse a FOCI (Foreign Ownership, Control, or Influence) compliant application to evade security controls or conditional access policies, and use that to access the secrets. Published on 2026-04-10, this rule is designed to alert on potentially malicious behavior within Azure environments using data ingested into Elastic.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Azure environment, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies an Azure Key Vault containing sensitive secrets or keys.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to retrieve secrets or keys from the Key Vault using valid or stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker iterates through various Key Vault resources, attempting to access a wide range of secrets.\u003c/li\u003e\n\u003cli\u003eThe attacker's activity generates multiple \u0026quot;KeyGet\u0026quot;, \u0026quot;SecretGet\u0026quot;, or \u0026quot;CertificateGet\u0026quot; events within a short time frame, triggering the detection rule.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the retrieved secrets or keys for use in further malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the obtained credentials to access sensitive data or systems.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data theft or unauthorized system access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eExcessive key and secret retrievals can indicate that an attacker is attempting to compromise sensitive data stored within Azure Key Vault. Successful credential access can lead to unauthorized access to other Azure resources, data breaches, and service disruptions. The rule is triggered when a principal retrieves more than 10 key vault items and at least 2 distinct actions in a 1 minute window. This can lead to significant financial and reputational damage depending on the sensitivity of the compromised data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Azure Key Vault diagnostic logs, specifically the AuditEvent log, to capture read and write operations (as mentioned in the rule's setup section).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026quot;Azure Key Vault Excessive Secret Retrieval via UPN\u0026quot; to your SIEM to detect suspicious retrieval activity based on User Principal Name, tuning the threshold (Esql.event_count \u0026gt;= 10) for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts triggered by the Sigma rule by reviewing the \u003ccode\u003eazure.platformlogs.identity.claim.upn\u003c/code\u003e, \u003ccode\u003eazure.platformlogs.identity.claim.appid\u003c/code\u003e, and \u003ccode\u003esource.ip\u003c/code\u003e fields in the logs to identify the source and user involved.\u003c/li\u003e\n\u003cli\u003eImplement stricter access controls and policies for Key Vaults to limit excessive retrievals, ensuring only authorized users and applications can access sensitive keys and secrets.\u003c/li\u003e\n\u003cli\u003eTriage users flagged by this rule with Entra ID sign-in logs to gather more context about their authentication behavior, as described in the rule's \u0026quot;Triage and Analysis\u0026quot; section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-azure-keyvault-excessive-retrieval/","summary":"Detects excessive secret or key retrieval operations from Azure Key Vault, indicating potential unauthorized access attempts or credential harvesting.","title":"Azure Key Vault Excessive Secret or Key Retrieval","url":"https://feed.craftedsignal.io/briefs/2024-01-03-azure-keyvault-excessive-retrieval/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Secrets Manager","Google Secret Manager","Azure Key Vault","Kubernetes Secrets"],"_cs_severities":["high"],"_cs_tags":["cloud","credential-access","kubernetes"],"_cs_type":"advisory","_cs_vendors":["AWS","Google","Microsoft","Kubernetes"],"content_html":"\u003cp\u003eThis detection identifies instances where a single source IP address accesses secret-management APIs across multiple cloud environments, including AWS Secrets Manager, Google Secret Manager, Azure Key Vault, and Kubernetes Secrets. This activity, occurring within a short timeframe, is indicative of potential credential theft, session hijacking, or token replay. Attackers with compromised credentials may attempt to rapidly retrieve secrets to expand access or exfiltrate sensitive information. The rule leverages data from AWS CloudTrail, Azure platform logs, GCP audit logs, and Kubernetes audit logs. Defenders should investigate unexpected cross-cloud secret retrieval, as it is uncommon and typically points to automation misuse or malicious activity. This detection helps identify and respond to threats involving stolen authenticated sessions used to harvest secrets across diverse cloud environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access through credential theft, session hijacking, or token replay.\u003c/li\u003e\n\u003cli\u003eCompromised credentials are used to authenticate to one of the cloud provider environments (AWS, Azure, or GCP).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised credentials to access the secret management service (e.g., AWS Secrets Manager, Azure Key Vault, Google Secret Manager).\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves secrets using API calls such as GetSecretValue (AWS), SecretGet/KeyGet (Azure), or AccessSecretVersion (GCP).\u003c/li\u003e\n\u003cli\u003eThe attacker pivots and uses the same compromised credentials or session to access secret management services in other cloud provider environments.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves secrets from the additional cloud environments, demonstrating cross-cloud access.\u003c/li\u003e\n\u003cli\u003eThe attacker may exfiltrate the harvested secrets or use them to escalate privileges within the compromised cloud environments.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence and expands their access by leveraging the retrieved secrets to compromise additional resources and services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised credentials and harvested secrets can lead to significant data breaches, unauthorized access to sensitive resources, and privilege escalation within cloud environments. Successful attacks can result in the exposure of sensitive data, including API keys, database passwords, and encryption keys, potentially impacting thousands of organizations. The Wiz.io blog post referenced in the rule, \u0026quot;Shai Hulud 2.0: Ongoing Supply Chain Attack,\u0026quot; underscores the potential for supply chain compromise through secret harvesting.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM and tune for your environment to detect suspicious cross-cloud secret retrieval activity.\u003c/li\u003e\n\u003cli\u003eEnable DATA_READ logging for the Secret Manager API service in GCP to provide the necessary data for detection.\u003c/li\u003e\n\u003cli\u003eEnable Diagnostic Logging for the Key Vault Service in Azure to capture secret access events.\u003c/li\u003e\n\u003cli\u003eReview IAM permissions and restrict secret access to least privilege across all cloud environments to limit the impact of credential compromise.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for users where applicable to enhance identity security and prevent credential theft.\u003c/li\u003e\n\u003cli\u003eRotate all accessed secrets and review other secrets the identity can access if compromise is suspected, as described in the rule's response and remediation steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-multi-cloud-secrets-access/","summary":"A single source IP accessing secret-management APIs across multiple cloud providers (AWS, GCP, Azure) and Kubernetes clusters within a short timeframe indicates credential theft or token replay for secret harvesting.","title":"Multiple Cloud Secrets Accessed by Source Address","url":"https://feed.craftedsignal.io/briefs/2024-01-multi-cloud-secrets-access/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Key Vault"],"_cs_severities":["medium"],"_cs_tags":["azure","keyvault","credential-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies anomalous access patterns to Azure Key Vault, a critical service for securely storing secrets, keys, and certificates in Azure environments. Specifically, it focuses on the retrieval of sensitive information (secrets, keys, certificates) by user principals that have not historically accessed the resource. The rule leverages the \u003ccode\u003enew_terms\u003c/code\u003e aggregation to identify previously unseen user principal names (UPNs) accessing Key Vault resources. This aims to uncover potential credential compromise, insider threats, or the use of rogue applications to exfiltrate sensitive data. This activity can lead to data breaches or unauthorized access to critical systems and resources within the Azure environment. The rule is based on the Elastic detection rule \u0026quot;Azure Key Vault Unusual Secret Key Usage\u0026quot;, version updated on 2026-04-10.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an Azure account or obtains valid credentials through phishing, credential stuffing, or other means (Initial Access).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised credentials to authenticate to the Azure environment.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates available Azure Key Vault resources to identify potential targets (Discovery).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to retrieve secrets, keys, or certificates from a Key Vault using the compromised credentials (Credential Access). The specific actions observed include \u0026quot;VaultGet\u0026quot;, \u0026quot;KeyGet\u0026quot;, \u0026quot;SecretGet\u0026quot;, and \u0026quot;CertificateGet\u0026quot;.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker gains access to sensitive information stored within the Key Vault, such as API keys, database passwords, or encryption keys (Credential Access).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the retrieved credentials to further compromise other systems or resources within the Azure environment, such as databases, applications, or virtual machines (Lateral Movement, Privilege Escalation).\u003c/li\u003e\n\u003cli\u003eThe attacker may exfiltrate the retrieved secrets and use them to gain access to external systems or services (Exfiltration).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of sensitive data stored within Azure Key Vault, including API keys, database passwords, and encryption keys. This can result in unauthorized access to critical systems and resources, data breaches, and financial losses. The number of victims and sectors targeted depends on the specific Key Vault resources compromised and the systems that rely on those resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Azure Key Vault Diagnostic Logs, specifically the AuditEvent log, and stream them to a SIEM or monitoring platform to capture all read and write operations (Setup section in Content).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Azure Key Vault Unusual Secret Key Usage\u0026quot; to detect unusual access patterns to Azure Key Vault resources (see Rules section).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the user principal making the retrieval requests and the specific Key Vault being accessed (see Investigation steps in Content).\u003c/li\u003e\n\u003cli\u003eImplement stricter access controls and policies for Key Vaults to limit excessive retrievals and ensure that only authorized users and applications can access sensitive keys and secrets (see Response and remediation in Content).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-azure-keyvault-unusual-access/","summary":"Detects unusual secret, key, or certificate retrieval operations from Azure Key Vault by a user principal that has not been seen previously, potentially indicating unauthorized access attempts.","title":"Azure Key Vault Unusual Secret Key Usage","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-keyvault-unusual-access/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Key Vault"],"_cs_severities":["low"],"_cs_tags":["azure","keyvault","configuration-audit","impact","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies modifications to Azure Key Vault, a service that safeguards encryption keys and secrets. Given the sensitivity of the data stored, access should be tightly controlled. This detection uses a new terms rule to identify when Key Vault modifications are performed by a user who hasn't been seen performing this activity within a 14-day period. This activity could indicate compromised credentials, insider threats, or misconfigured access controls. This rule helps security teams quickly identify and respond to potentially unauthorized modifications to sensitive resources within Azure environments, specifically targeting unusual user activity that deviates from established baselines. The original rule was created on 2020/08/31, and updated on 2026/04/10.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an Azure account, potentially through credential compromise or account takeover.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised account to authenticate to the Azure environment.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates available Key Vault resources within the Azure subscription.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to modify a Key Vault configuration, such as changing access policies, secrets, or encryption keys.\u003c/li\u003e\n\u003cli\u003eThe modification is logged as an Azure Activity Log event with operation name \u003ccode\u003eMICROSOFT.KEYVAULT/VAULTS/*\u003c/code\u003e and event outcome of \u003ccode\u003eSuccess\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u0026quot;new terms\u0026quot; rule triggers because the user performing the modification (\u003ccode\u003eazure.activitylogs.identity.claims_initiated_by_user.name\u003c/code\u003e) is not a known user of Key Vaults, based on a 14-day history.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the modified Key Vault configuration to access sensitive data or disrupt services.\u003c/li\u003e\n\u003cli\u003eThe attacker may further attempt to cover their tracks by deleting audit logs or other evidence of their activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eUnauthorized modifications to Azure Key Vault can have significant consequences, including data breaches, service disruptions, and compliance violations. The rule has a low severity and a risk score of 21. If an attacker successfully modifies a Key Vault, they could potentially access sensitive secrets and encryption keys, leading to the compromise of critical applications and data. This could affect multiple organizations that rely on the compromised Key Vault for securing their cloud infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect unusual Key Vault modifications.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on the user (\u003ccode\u003eazure.activitylogs.identity.claims_initiated_by_user.name\u003c/code\u003e), the Key Vault resource ID (\u003ccode\u003eazure.activitylogs.resource_id\u003c/code\u003e), and the type of modification (\u003ccode\u003eazure.activitylogs.operation_name\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview Azure Key Vault access policies and ensure that only authorized users and applications have the necessary permissions.\u003c/li\u003e\n\u003cli\u003eEnable multi-factor authentication (MFA) for all Azure accounts, especially those with access to sensitive resources like Key Vaults.\u003c/li\u003e\n\u003cli\u003eMonitor Azure Activity Logs for any suspicious activity related to Key Vault modifications (Data Source: Azure Activity Logs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-azure-keyvault-modified/","summary":"This rule identifies modifications to Azure Key Vaults by unusual users, potentially leading to data breaches or service disruptions through defense evasion or impact operations.","title":"Azure Key Vault Modified by Unusual User","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-keyvault-modified/"}],"language":"en","title":"CraftedSignal Threat Feed - Azure Key Vault","version":"https://jsonfeed.org/version/1.1"}