VaultPatch
Azure
VaultPatch
Event
Updates the properties of an Azure Key Vault, such as its access policies, network rules, or soft-delete configuration.
Security Context
- Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
- Credential harvesting enables adversaries to expand their access by obtaining authentication material for additional services and accounts.
Log Source
Azure Activity Log
Sample Event
Adversarial. draco@fantasticlogs.cloud patches the kv-bowtruckle-prod vault to weaken its network ACL, removing the IP restriction that previously locked the vault to corporate egress. He leaves purge protection unset — once enabled it cannot be removed, so the patch request submits it as null and the existing protection stays in place. After the patch, the vault accepts requests from any internet IP — Draco’s data-plane secret-read calls now succeed without VPN/ExpressRoute. Defense evasion + credential access.
{ "authorization": { "action": "Microsoft.KeyVault/vaults/write", "scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-bowtruckle-vault/providers/Microsoft.KeyVault/vaults/kv-bowtruckle-prod" }, "caller": "draco@fantasticlogs.cloud", "channels": "Operation", "claims": { "appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46", "ipaddr": "203.0.113.66", "name": "Draco Malfoy", "http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010", "puid": "1003200000000666", "http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud", "http://schemas.microsoft.com/identity/claims/wids": "e8611ab8-c189-46e8-94e1-60213ab1f814", "uti": "kvPatch233ExampleUtid", "ver": "1.0" }, "correlationId": "90000000-0000-4000-8000-000100100011", "description": "", "eventDataId": "90000000-0000-4000-8000-000100100100", "eventName": { "value": "EndRequest", "localizedValue": "End request" }, "category": { "value": "Administrative", "localizedValue": "Administrative" }, "eventTimestamp": "2026-04-15T17:44:18.4218072Z", "id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-bowtruckle-vault/providers/Microsoft.KeyVault/vaults/kv-bowtruckle-prod/events/90000000-0000-4000-8000-000100100100/ticks/638798210584218072", "level": "Informational", "operationId": "90000000-0000-4000-8000-000100111101", "operationName": { "value": "Microsoft.KeyVault/vaults/write", "localizedValue": "VaultPatch" }, "resourceGroupName": "rg-bowtruckle-vault", "resourceProviderName": { "value": "Microsoft.KeyVault", "localizedValue": "Microsoft.KeyVault" }, "resourceType": { "value": "Microsoft.KeyVault/vaults", "localizedValue": "Microsoft.KeyVault/vaults" }, "resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-bowtruckle-vault/providers/Microsoft.KeyVault/vaults/kv-bowtruckle-prod", "status": { "value": "Succeeded", "localizedValue": "Succeeded" }, "subStatus": { "value": "OK", "localizedValue": "OK (HTTP Status Code: 200)" }, "submissionTimestamp": "2026-04-15T17:44:19.0301428Z", "subscriptionId": "20000000-0000-4000-8000-000000000001", "tenantId": "10000000-0000-4000-8000-000000000001", "properties": { "statusCode": "OK", "serviceRequestId": null, "eventCategory": "Administrative", "entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-bowtruckle-vault/providers/Microsoft.KeyVault/vaults/kv-bowtruckle-prod", "message": "Microsoft.KeyVault/vaults/write", "hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001", "requestbody": "{\"properties\":{\"enableSoftDelete\":true,\"enablePurgeProtection\":null,\"networkAcls\":{\"defaultAction\":\"Allow\",\"bypass\":\"AzureServices\",\"ipRules\":[],\"virtualNetworkRules\":[]}}}" }, "relatedEvents": []}MITRE ATT&CK Mapping
Tactics: Defense Impairment Credential Access
Techniques:
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...
- T1555 — Credentials from Password Stores — Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make the...