VaultPatch
Event
Updates the properties of an Azure Key Vault, such as its access policies, network rules, or soft-delete configuration.
Security Context
- Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
- Credential harvesting enables adversaries to expand their access by obtaining authentication material for additional services and accounts.
Log Source
Azure Activity Log
Sample Event
MITRE ATT&CK Mapping
Tactics: Defense Evasion Credential Access
Techniques:
- T1562 — Impair Defenses — Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify...
- T1555 — Credentials from Password Stores — Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.