{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/keyvault/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Key Vault"],"_cs_severities":["medium"],"_cs_tags":["azure","keyvault","credential-access","threat-detection"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis rule identifies excessive secret or key retrieval operations from Azure Key Vault, a cloud service safeguarding encryption keys and secrets. The rule detects instances where a user principal retrieves secrets or keys from Azure Key Vault multiple times within a short timeframe, potentially indicating abuse or unauthorized access attempts. The rule focuses on high-frequency retrieval operations that deviate from normal user behavior, suggesting credential harvesting or misuse of sensitive information. An adversary might abuse a FOCI (Foreign Ownership, Control, or Influence) compliant application to evade security controls or conditional access policies, and use that to access the secrets. Published on 2026-04-10, this rule is designed to alert on potentially malicious behavior within Azure environments using data ingested into Elastic.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Azure environment, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies an Azure Key Vault containing sensitive secrets or keys.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to retrieve secrets or keys from the Key Vault using valid or stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker iterates through various Key Vault resources, attempting to access a wide range of secrets.\u003c/li\u003e\n\u003cli\u003eThe attacker's activity generates multiple \u0026quot;KeyGet\u0026quot;, \u0026quot;SecretGet\u0026quot;, or \u0026quot;CertificateGet\u0026quot; events within a short time frame, triggering the detection rule.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the retrieved secrets or keys for use in further malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the obtained credentials to access sensitive data or systems.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data theft or unauthorized system access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eExcessive key and secret retrievals can indicate that an attacker is attempting to compromise sensitive data stored within Azure Key Vault. Successful credential access can lead to unauthorized access to other Azure resources, data breaches, and service disruptions. The rule is triggered when a principal retrieves more than 10 key vault items and at least 2 distinct actions in a 1 minute window. This can lead to significant financial and reputational damage depending on the sensitivity of the compromised data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Azure Key Vault diagnostic logs, specifically the AuditEvent log, to capture read and write operations (as mentioned in the rule's setup section).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026quot;Azure Key Vault Excessive Secret Retrieval via UPN\u0026quot; to your SIEM to detect suspicious retrieval activity based on User Principal Name, tuning the threshold (Esql.event_count \u0026gt;= 10) for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts triggered by the Sigma rule by reviewing the \u003ccode\u003eazure.platformlogs.identity.claim.upn\u003c/code\u003e, \u003ccode\u003eazure.platformlogs.identity.claim.appid\u003c/code\u003e, and \u003ccode\u003esource.ip\u003c/code\u003e fields in the logs to identify the source and user involved.\u003c/li\u003e\n\u003cli\u003eImplement stricter access controls and policies for Key Vaults to limit excessive retrievals, ensuring only authorized users and applications can access sensitive keys and secrets.\u003c/li\u003e\n\u003cli\u003eTriage users flagged by this rule with Entra ID sign-in logs to gather more context about their authentication behavior, as described in the rule's \u0026quot;Triage and Analysis\u0026quot; section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-azure-keyvault-excessive-retrieval/","summary":"Detects excessive secret or key retrieval operations from Azure Key Vault, indicating potential unauthorized access attempts or credential harvesting.","title":"Azure Key Vault Excessive Secret or Key Retrieval","url":"https://feed.craftedsignal.io/briefs/2024-01-03-azure-keyvault-excessive-retrieval/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Key Vault"],"_cs_severities":["medium"],"_cs_tags":["azure","keyvault","credential-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies anomalous access patterns to Azure Key Vault, a critical service for securely storing secrets, keys, and certificates in Azure environments. Specifically, it focuses on the retrieval of sensitive information (secrets, keys, certificates) by user principals that have not historically accessed the resource. The rule leverages the \u003ccode\u003enew_terms\u003c/code\u003e aggregation to identify previously unseen user principal names (UPNs) accessing Key Vault resources. This aims to uncover potential credential compromise, insider threats, or the use of rogue applications to exfiltrate sensitive data. This activity can lead to data breaches or unauthorized access to critical systems and resources within the Azure environment. The rule is based on the Elastic detection rule \u0026quot;Azure Key Vault Unusual Secret Key Usage\u0026quot;, version updated on 2026-04-10.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an Azure account or obtains valid credentials through phishing, credential stuffing, or other means (Initial Access).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised credentials to authenticate to the Azure environment.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates available Azure Key Vault resources to identify potential targets (Discovery).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to retrieve secrets, keys, or certificates from a Key Vault using the compromised credentials (Credential Access). The specific actions observed include \u0026quot;VaultGet\u0026quot;, \u0026quot;KeyGet\u0026quot;, \u0026quot;SecretGet\u0026quot;, and \u0026quot;CertificateGet\u0026quot;.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker gains access to sensitive information stored within the Key Vault, such as API keys, database passwords, or encryption keys (Credential Access).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the retrieved credentials to further compromise other systems or resources within the Azure environment, such as databases, applications, or virtual machines (Lateral Movement, Privilege Escalation).\u003c/li\u003e\n\u003cli\u003eThe attacker may exfiltrate the retrieved secrets and use them to gain access to external systems or services (Exfiltration).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of sensitive data stored within Azure Key Vault, including API keys, database passwords, and encryption keys. This can result in unauthorized access to critical systems and resources, data breaches, and financial losses. The number of victims and sectors targeted depends on the specific Key Vault resources compromised and the systems that rely on those resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Azure Key Vault Diagnostic Logs, specifically the AuditEvent log, and stream them to a SIEM or monitoring platform to capture all read and write operations (Setup section in Content).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Azure Key Vault Unusual Secret Key Usage\u0026quot; to detect unusual access patterns to Azure Key Vault resources (see Rules section).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the user principal making the retrieval requests and the specific Key Vault being accessed (see Investigation steps in Content).\u003c/li\u003e\n\u003cli\u003eImplement stricter access controls and policies for Key Vaults to limit excessive retrievals and ensure that only authorized users and applications can access sensitive keys and secrets (see Response and remediation in Content).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-azure-keyvault-unusual-access/","summary":"Detects unusual secret, key, or certificate retrieval operations from Azure Key Vault by a user principal that has not been seen previously, potentially indicating unauthorized access attempts.","title":"Azure Key Vault Unusual Secret Key Usage","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-keyvault-unusual-access/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Key Vault"],"_cs_severities":["low"],"_cs_tags":["azure","keyvault","configuration-audit","impact","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies modifications to Azure Key Vault, a service that safeguards encryption keys and secrets. Given the sensitivity of the data stored, access should be tightly controlled. This detection uses a new terms rule to identify when Key Vault modifications are performed by a user who hasn't been seen performing this activity within a 14-day period. This activity could indicate compromised credentials, insider threats, or misconfigured access controls. This rule helps security teams quickly identify and respond to potentially unauthorized modifications to sensitive resources within Azure environments, specifically targeting unusual user activity that deviates from established baselines. The original rule was created on 2020/08/31, and updated on 2026/04/10.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an Azure account, potentially through credential compromise or account takeover.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised account to authenticate to the Azure environment.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates available Key Vault resources within the Azure subscription.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to modify a Key Vault configuration, such as changing access policies, secrets, or encryption keys.\u003c/li\u003e\n\u003cli\u003eThe modification is logged as an Azure Activity Log event with operation name \u003ccode\u003eMICROSOFT.KEYVAULT/VAULTS/*\u003c/code\u003e and event outcome of \u003ccode\u003eSuccess\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u0026quot;new terms\u0026quot; rule triggers because the user performing the modification (\u003ccode\u003eazure.activitylogs.identity.claims_initiated_by_user.name\u003c/code\u003e) is not a known user of Key Vaults, based on a 14-day history.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the modified Key Vault configuration to access sensitive data or disrupt services.\u003c/li\u003e\n\u003cli\u003eThe attacker may further attempt to cover their tracks by deleting audit logs or other evidence of their activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eUnauthorized modifications to Azure Key Vault can have significant consequences, including data breaches, service disruptions, and compliance violations. The rule has a low severity and a risk score of 21. If an attacker successfully modifies a Key Vault, they could potentially access sensitive secrets and encryption keys, leading to the compromise of critical applications and data. This could affect multiple organizations that rely on the compromised Key Vault for securing their cloud infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect unusual Key Vault modifications.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on the user (\u003ccode\u003eazure.activitylogs.identity.claims_initiated_by_user.name\u003c/code\u003e), the Key Vault resource ID (\u003ccode\u003eazure.activitylogs.resource_id\u003c/code\u003e), and the type of modification (\u003ccode\u003eazure.activitylogs.operation_name\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview Azure Key Vault access policies and ensure that only authorized users and applications have the necessary permissions.\u003c/li\u003e\n\u003cli\u003eEnable multi-factor authentication (MFA) for all Azure accounts, especially those with access to sensitive resources like Key Vaults.\u003c/li\u003e\n\u003cli\u003eMonitor Azure Activity Logs for any suspicious activity related to Key Vault modifications (Data Source: Azure Activity Logs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-azure-keyvault-modified/","summary":"This rule identifies modifications to Azure Key Vaults by unusual users, potentially leading to data breaches or service disruptions through defense evasion or impact operations.","title":"Azure Key Vault Modified by Unusual User","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-keyvault-modified/"}],"language":"en","title":"CraftedSignal Threat Feed - Keyvault","version":"https://jsonfeed.org/version/1.1"}