Microsoft.KeyVault/vaults/secrets/read
Event
Reads a secret value from an Azure Key Vault.
Security Context
- Enumerating cloud resources helps adversaries map the environment to identify high-value targets, security controls, and potential pivot points.
- Accessing stored credentials or secrets can provide adversaries with keys to additional systems, enabling lateral movement and privilege escalation.
Log Source
Key Vault Diagnostic Logs (AuditEvent)
Sample Event
MITRE ATT&CK Mapping
Tactics: Credential Access Discovery
Techniques:
- T1552 — Unsecured Credentials — Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g.
- T1526 — Cloud Service Discovery — An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS).
- T1555 — Credentials from Password Stores — Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.