Skip to content

Microsoft.KeyVault/vaults/secrets/read

Azure

Microsoft.KeyVault/vaults/secrets/read

service: Azure - Key Vault
techniques:

Event

Reads a secret value from an Azure Key Vault.

Security Context

  • Enumerating cloud resources helps adversaries map the environment to identify high-value targets, security controls, and potential pivot points.
  • Accessing stored credentials or secrets can provide adversaries with keys to additional systems, enabling lateral movement and privilege escalation.

Log Source

Key Vault Diagnostic Logs (AuditEvent)

Sample Event

Adversarial. After modifying access policies on kv-bowtruckle-prod, draco@fantasticlogs.cloud reads the production database password secret. SecretGet returns the plaintext value to the caller.

{
"time": "2026-04-15T17:51:09.7842155Z",
"resourceId": "/SUBSCRIPTIONS/20000000-0000-4000-8000-000000000001/RESOURCEGROUPS/RG-BOWTRUCKLE-VAULT/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/KV-BOWTRUCKLE-PROD",
"operationName": "SecretGet",
"operationVersion": "7.4",
"category": "AuditEvent",
"resultType": "Success",
"resultSignature": "OK",
"resultDescription": "",
"durationMs": "28",
"callerIpAddress": "203.0.113.66",
"correlationId": "90000000-0000-4000-8000-000100001011",
"identity": {
"claim": {
"http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010",
"appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud",
"http://schemas.microsoft.com/identity/claims/scope": "user_impersonation"
}
},
"properties": {
"id": "https://kv-bowtruckle-prod.vault.azure.net/secrets/bowtruckle-prod-db-password/9f8e7d6c5b4a30001010011010ddeeff",
"clientInfo": "python/3.11.6 (Linux-5.15.0-1052-aws-x86_64-with-glibc2.35) AZURECLI/2.56.0 (DEB)",
"requestUri": "https://kv-bowtruckle-prod.vault.azure.net/secrets/bowtruckle-prod-db-password/?api-version=7.4",
"httpStatusCode": 200
},
"tenantId": "10000000-0000-4000-8000-000000000001"
}

MITRE ATT&CK Mapping

Tactics: Credential Access Discovery

Techniques:
  • T1552 — Unsecured Credentials — Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Shell History](https://attack.mitre.org/techniques/T1552/003)), operating system or applica...
  • T1526 — Cloud Service Discovery — An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can...
  • T1555 — Credentials from Password Stores — Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make the...