Skip to content

Microsoft.KeyVault/vaults/keys/read

Azure

Microsoft.KeyVault/vaults/keys/read

service: Azure - Key Vault
techniques:

Event

Reads a cryptographic key from an Azure Key Vault.

Security Context

  • Enumerating cloud resources helps adversaries map the environment to identify high-value targets, security controls, and potential pivot points.
  • Accessing stored credentials or secrets can provide adversaries with keys to additional systems, enabling lateral movement and privilege escalation.

Log Source

Key Vault Diagnostic Logs (AuditEvent)

Sample Event

Adversarial. After modifying access policies on kv-bowtruckle-prod, draco@fantasticlogs.cloud reads the data-encryption key bowtruckle-data-encryption-key from the vault. KeyGet returns the JsonWebKey (kty/n/e/etc.) — for a non-HSM, non-extractable key the private material is not returned, but for a software-protected exportable key it is. Either way, this is a high-signal credential-access event.

{
"time": "2026-04-15T17:50:33.2148201Z",
"resourceId": "/SUBSCRIPTIONS/20000000-0000-4000-8000-000000000001/RESOURCEGROUPS/RG-BOWTRUCKLE-VAULT/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/KV-BOWTRUCKLE-PROD",
"operationName": "KeyGet",
"operationVersion": "7.4",
"category": "AuditEvent",
"resultType": "Success",
"resultSignature": "OK",
"resultDescription": "",
"durationMs": "32",
"callerIpAddress": "203.0.113.66",
"correlationId": "90000000-0000-4000-8000-000100000111",
"identity": {
"claim": {
"http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010",
"appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud",
"http://schemas.microsoft.com/identity/claims/scope": "user_impersonation"
}
},
"properties": {
"id": "https://kv-bowtruckle-prod.vault.azure.net/keys/bowtruckle-data-encryption-key/0a1b2c3d4e5f60001010011010aabbcc",
"clientInfo": "python/3.11.6 (Linux-5.15.0-1052-aws-x86_64-with-glibc2.35) AZURECLI/2.56.0 (DEB)",
"requestUri": "https://kv-bowtruckle-prod.vault.azure.net/keys/bowtruckle-data-encryption-key/0a1b2c3d4e5f60001010011010aabbcc?api-version=7.4",
"httpStatusCode": 200
},
"tenantId": "10000000-0000-4000-8000-000000000001"
}

MITRE ATT&CK Mapping

Tactics: Credential Access Discovery

Techniques:
  • T1552 — Unsecured Credentials — Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Shell History](https://attack.mitre.org/techniques/T1552/003)), operating system or applica...
  • T1526 — Cloud Service Discovery — An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can...
  • T1555 — Credentials from Password Stores — Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make the...