<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Keyvault - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/keyvault/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 15:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/keyvault/feed.xml" rel="self" type="application/rss+xml"/><item><title>Azure Key Vault Excessive Secret or Key Retrieval</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-azure-keyvault-excessive-retrieval/</link><pubDate>Wed, 03 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-azure-keyvault-excessive-retrieval/</guid><description>Detects excessive secret or key retrieval operations from Azure Key Vault, indicating potential unauthorized access attempts or credential harvesting.</description><content:encoded><![CDATA[<p>This rule identifies excessive secret or key retrieval operations from Azure Key Vault, a cloud service safeguarding encryption keys and secrets. The rule detects instances where a user principal retrieves secrets or keys from Azure Key Vault multiple times within a short timeframe, potentially indicating abuse or unauthorized access attempts. The rule focuses on high-frequency retrieval operations that deviate from normal user behavior, suggesting credential harvesting or misuse of sensitive information. An adversary might abuse a FOCI (Foreign Ownership, Control, or Influence) compliant application to evade security controls or conditional access policies, and use that to access the secrets. Published on 2026-04-10, this rule is designed to alert on potentially malicious behavior within Azure environments using data ingested into Elastic.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to an Azure environment, potentially through compromised credentials or exploiting a vulnerability.</li>
<li>The attacker identifies an Azure Key Vault containing sensitive secrets or keys.</li>
<li>The attacker attempts to retrieve secrets or keys from the Key Vault using valid or stolen credentials.</li>
<li>The attacker iterates through various Key Vault resources, attempting to access a wide range of secrets.</li>
<li>The attacker's activity generates multiple &quot;KeyGet&quot;, &quot;SecretGet&quot;, or &quot;CertificateGet&quot; events within a short time frame, triggering the detection rule.</li>
<li>The attacker exfiltrates the retrieved secrets or keys for use in further malicious activities.</li>
<li>The attacker uses the obtained credentials to access sensitive data or systems.</li>
<li>The attacker achieves their objective, such as data theft or unauthorized system access.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Excessive key and secret retrievals can indicate that an attacker is attempting to compromise sensitive data stored within Azure Key Vault. Successful credential access can lead to unauthorized access to other Azure resources, data breaches, and service disruptions. The rule is triggered when a principal retrieves more than 10 key vault items and at least 2 distinct actions in a 1 minute window. This can lead to significant financial and reputational damage depending on the sensitivity of the compromised data.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Azure Key Vault diagnostic logs, specifically the AuditEvent log, to capture read and write operations (as mentioned in the rule's setup section).</li>
<li>Deploy the provided Sigma rule &quot;Azure Key Vault Excessive Secret Retrieval via UPN&quot; to your SIEM to detect suspicious retrieval activity based on User Principal Name, tuning the threshold (Esql.event_count &gt;= 10) for your environment.</li>
<li>Investigate alerts triggered by the Sigma rule by reviewing the <code>azure.platformlogs.identity.claim.upn</code>, <code>azure.platformlogs.identity.claim.appid</code>, and <code>source.ip</code> fields in the logs to identify the source and user involved.</li>
<li>Implement stricter access controls and policies for Key Vaults to limit excessive retrievals, ensuring only authorized users and applications can access sensitive keys and secrets.</li>
<li>Triage users flagged by this rule with Entra ID sign-in logs to gather more context about their authentication behavior, as described in the rule's &quot;Triage and Analysis&quot; section.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>azure</category><category>keyvault</category><category>credential-access</category><category>threat-detection</category></item><item><title>Azure Key Vault Unusual Secret Key Usage</title><link>https://feed.craftedsignal.io/briefs/2024-01-azure-keyvault-unusual-access/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-azure-keyvault-unusual-access/</guid><description>Detects unusual secret, key, or certificate retrieval operations from Azure Key Vault by a user principal that has not been seen previously, potentially indicating unauthorized access attempts.</description><content:encoded><![CDATA[<p>This detection identifies anomalous access patterns to Azure Key Vault, a critical service for securely storing secrets, keys, and certificates in Azure environments. Specifically, it focuses on the retrieval of sensitive information (secrets, keys, certificates) by user principals that have not historically accessed the resource. The rule leverages the <code>new_terms</code> aggregation to identify previously unseen user principal names (UPNs) accessing Key Vault resources. This aims to uncover potential credential compromise, insider threats, or the use of rogue applications to exfiltrate sensitive data. This activity can lead to data breaches or unauthorized access to critical systems and resources within the Azure environment. The rule is based on the Elastic detection rule &quot;Azure Key Vault Unusual Secret Key Usage&quot;, version updated on 2026-04-10.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to an Azure account or obtains valid credentials through phishing, credential stuffing, or other means (Initial Access).</li>
<li>The attacker leverages the compromised credentials to authenticate to the Azure environment.</li>
<li>The attacker enumerates available Azure Key Vault resources to identify potential targets (Discovery).</li>
<li>The attacker attempts to retrieve secrets, keys, or certificates from a Key Vault using the compromised credentials (Credential Access). The specific actions observed include &quot;VaultGet&quot;, &quot;KeyGet&quot;, &quot;SecretGet&quot;, and &quot;CertificateGet&quot;.</li>
<li>If successful, the attacker gains access to sensitive information stored within the Key Vault, such as API keys, database passwords, or encryption keys (Credential Access).</li>
<li>The attacker uses the retrieved credentials to further compromise other systems or resources within the Azure environment, such as databases, applications, or virtual machines (Lateral Movement, Privilege Escalation).</li>
<li>The attacker may exfiltrate the retrieved secrets and use them to gain access to external systems or services (Exfiltration).</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to the compromise of sensitive data stored within Azure Key Vault, including API keys, database passwords, and encryption keys. This can result in unauthorized access to critical systems and resources, data breaches, and financial losses. The number of victims and sectors targeted depends on the specific Key Vault resources compromised and the systems that rely on those resources.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Azure Key Vault Diagnostic Logs, specifically the AuditEvent log, and stream them to a SIEM or monitoring platform to capture all read and write operations (Setup section in Content).</li>
<li>Deploy the Sigma rule &quot;Azure Key Vault Unusual Secret Key Usage&quot; to detect unusual access patterns to Azure Key Vault resources (see Rules section).</li>
<li>Investigate any alerts generated by the Sigma rule, focusing on identifying the user principal making the retrieval requests and the specific Key Vault being accessed (see Investigation steps in Content).</li>
<li>Implement stricter access controls and policies for Key Vaults to limit excessive retrievals and ensure that only authorized users and applications can access sensitive keys and secrets (see Response and remediation in Content).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>azure</category><category>keyvault</category><category>credential-access</category></item><item><title>Azure Key Vault Modified by Unusual User</title><link>https://feed.craftedsignal.io/briefs/2024-01-azure-keyvault-modified/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-azure-keyvault-modified/</guid><description>This rule identifies modifications to Azure Key Vaults by unusual users, potentially leading to data breaches or service disruptions through defense evasion or impact operations.</description><content:encoded><![CDATA[<p>This detection identifies modifications to Azure Key Vault, a service that safeguards encryption keys and secrets. Given the sensitivity of the data stored, access should be tightly controlled. This detection uses a new terms rule to identify when Key Vault modifications are performed by a user who hasn't been seen performing this activity within a 14-day period. This activity could indicate compromised credentials, insider threats, or misconfigured access controls. This rule helps security teams quickly identify and respond to potentially unauthorized modifications to sensitive resources within Azure environments, specifically targeting unusual user activity that deviates from established baselines. The original rule was created on 2020/08/31, and updated on 2026/04/10.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to an Azure account, potentially through credential compromise or account takeover.</li>
<li>The attacker leverages the compromised account to authenticate to the Azure environment.</li>
<li>The attacker enumerates available Key Vault resources within the Azure subscription.</li>
<li>The attacker attempts to modify a Key Vault configuration, such as changing access policies, secrets, or encryption keys.</li>
<li>The modification is logged as an Azure Activity Log event with operation name <code>MICROSOFT.KEYVAULT/VAULTS/*</code> and event outcome of <code>Success</code>.</li>
<li>The &quot;new terms&quot; rule triggers because the user performing the modification (<code>azure.activitylogs.identity.claims_initiated_by_user.name</code>) is not a known user of Key Vaults, based on a 14-day history.</li>
<li>The attacker leverages the modified Key Vault configuration to access sensitive data or disrupt services.</li>
<li>The attacker may further attempt to cover their tracks by deleting audit logs or other evidence of their activity.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Unauthorized modifications to Azure Key Vault can have significant consequences, including data breaches, service disruptions, and compliance violations. The rule has a low severity and a risk score of 21. If an attacker successfully modifies a Key Vault, they could potentially access sensitive secrets and encryption keys, leading to the compromise of critical applications and data. This could affect multiple organizations that rely on the compromised Key Vault for securing their cloud infrastructure.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rules provided in this brief to your SIEM to detect unusual Key Vault modifications.</li>
<li>Investigate any alerts generated by the Sigma rules, focusing on the user (<code>azure.activitylogs.identity.claims_initiated_by_user.name</code>), the Key Vault resource ID (<code>azure.activitylogs.resource_id</code>), and the type of modification (<code>azure.activitylogs.operation_name</code>).</li>
<li>Review Azure Key Vault access policies and ensure that only authorized users and applications have the necessary permissions.</li>
<li>Enable multi-factor authentication (MFA) for all Azure accounts, especially those with access to sensitive resources like Key Vaults.</li>
<li>Monitor Azure Activity Logs for any suspicious activity related to Key Vault modifications (Data Source: Azure Activity Logs).</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>azure</category><category>keyvault</category><category>configuration-audit</category><category>impact</category><category>defense-evasion</category></item></channel></rss>