Microsoft.KeyVault/vaults/accessPolicies/write
Event
Modifies Key Vault access policies, potentially granting unauthorized access to secrets, keys, and certificates.
Security Context
- Key Vault access policies control who can read, list, and manage secrets, keys, and certificates; modifying them can grant an adversary access to stored credentials, encryption keys, and TLS certificates.
- Adversaries modify access policies to grant themselves or a compromised identity permissions to retrieve secrets, which often contain database connection strings, API keys, and other sensitive credentials.
Log Source
Azure Activity Log
Sample Event
MITRE ATT&CK Mapping
Tactics: Credential Access
Techniques:
- T1555 — Credentials from Password Stores — Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.