Microsoft.KeyVault/vaults/certificates/read
Azure
Microsoft.KeyVault/vaults/certificates/read
Event
Reads a certificate stored in an Azure Key Vault.
Security Context
- Enumerating cloud resources helps adversaries map the environment to identify high-value targets, security controls, and potential pivot points.
- Accessing stored credentials or secrets can provide adversaries with keys to additional systems, enabling lateral movement and privilege escalation.
Log Source
Key Vault Diagnostic Logs (AuditEvent)
Sample Event
Adversarial. Following the access-policy modification (accessPolicies/write), draco@fantasticlogs.cloud reads the TLS certificate bowtruckle-prod-tls-cert from kv-bowtruckle-prod. The data-plane request hits the vault directly at kv-bowtruckle-prod.vault.azure.net. The request is authenticated as Draco’s user identity via OAuth2 bearer token (no MSI / SP).
{ "time": "2026-04-15T17:48:21.5421047Z", "resourceId": "/SUBSCRIPTIONS/20000000-0000-4000-8000-000000000001/RESOURCEGROUPS/RG-BOWTRUCKLE-VAULT/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/KV-BOWTRUCKLE-PROD", "operationName": "CertificateGet", "operationVersion": "7.4", "category": "AuditEvent", "resultType": "Success", "resultSignature": "OK", "resultDescription": "", "durationMs": "47", "callerIpAddress": "203.0.113.66", "correlationId": "90000000-0000-4000-8000-000100000011", "identity": { "claim": { "http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010", "appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud", "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation" } }, "properties": { "id": "https://kv-bowtruckle-prod.vault.azure.net/certificates/bowtruckle-prod-tls-cert/a1b2c3d4e5f60000111100001010011010", "clientInfo": "python/3.11.6 (Linux-5.15.0-1052-aws-x86_64-with-glibc2.35) AZURECLI/2.56.0 (DEB)", "requestUri": "https://kv-bowtruckle-prod.vault.azure.net/certificates/bowtruckle-prod-tls-cert/a1b2c3d4e5f60000111100001010011010?api-version=7.4", "httpStatusCode": 200 }, "tenantId": "10000000-0000-4000-8000-000000000001"}MITRE ATT&CK Mapping
Tactics: Credential Access Discovery
Techniques:
- T1552 — Unsecured Credentials — Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Shell History](https://attack.mitre.org/techniques/T1552/003)), operating system or applica...
- T1526 — Cloud Service Discovery — An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can...
- T1555 — Credentials from Password Stores — Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make the...