Skip to content

VaultPatch

Azure

VaultPatch

service: Azure - Azure Key Vault
techniques:

Event

Updates the properties of an Azure Key Vault, such as its access policies, network rules, or soft-delete configuration.

Security Context

  • Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
  • Credential harvesting enables adversaries to expand their access by obtaining authentication material for additional services and accounts.

Log Source

Azure Activity Log

Sample Event

Adversarial. draco@fantasticlogs.cloud patches the kv-bowtruckle-prod vault to weaken its network ACL, removing the IP restriction that previously locked the vault to corporate egress. He leaves purge protection unset — once enabled it cannot be removed, so the patch request submits it as null and the existing protection stays in place. After the patch, the vault accepts requests from any internet IP — Draco’s data-plane secret-read calls now succeed without VPN/ExpressRoute. Defense evasion + credential access.

{
"authorization": {
"action": "Microsoft.KeyVault/vaults/write",
"scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-bowtruckle-vault/providers/Microsoft.KeyVault/vaults/kv-bowtruckle-prod"
},
"caller": "draco@fantasticlogs.cloud",
"channels": "Operation",
"claims": {
"appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"ipaddr": "203.0.113.66",
"name": "Draco Malfoy",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010",
"puid": "1003200000000666",
"http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud",
"http://schemas.microsoft.com/identity/claims/wids": "e8611ab8-c189-46e8-94e1-60213ab1f814",
"uti": "kvPatch233ExampleUtid",
"ver": "1.0"
},
"correlationId": "90000000-0000-4000-8000-000100100011",
"description": "",
"eventDataId": "90000000-0000-4000-8000-000100100100",
"eventName": {
"value": "EndRequest",
"localizedValue": "End request"
},
"category": {
"value": "Administrative",
"localizedValue": "Administrative"
},
"eventTimestamp": "2026-04-15T17:44:18.4218072Z",
"id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-bowtruckle-vault/providers/Microsoft.KeyVault/vaults/kv-bowtruckle-prod/events/90000000-0000-4000-8000-000100100100/ticks/638798210584218072",
"level": "Informational",
"operationId": "90000000-0000-4000-8000-000100111101",
"operationName": {
"value": "Microsoft.KeyVault/vaults/write",
"localizedValue": "VaultPatch"
},
"resourceGroupName": "rg-bowtruckle-vault",
"resourceProviderName": {
"value": "Microsoft.KeyVault",
"localizedValue": "Microsoft.KeyVault"
},
"resourceType": {
"value": "Microsoft.KeyVault/vaults",
"localizedValue": "Microsoft.KeyVault/vaults"
},
"resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-bowtruckle-vault/providers/Microsoft.KeyVault/vaults/kv-bowtruckle-prod",
"status": {
"value": "Succeeded",
"localizedValue": "Succeeded"
},
"subStatus": {
"value": "OK",
"localizedValue": "OK (HTTP Status Code: 200)"
},
"submissionTimestamp": "2026-04-15T17:44:19.0301428Z",
"subscriptionId": "20000000-0000-4000-8000-000000000001",
"tenantId": "10000000-0000-4000-8000-000000000001",
"properties": {
"statusCode": "OK",
"serviceRequestId": null,
"eventCategory": "Administrative",
"entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-bowtruckle-vault/providers/Microsoft.KeyVault/vaults/kv-bowtruckle-prod",
"message": "Microsoft.KeyVault/vaults/write",
"hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001",
"requestbody": "{\"properties\":{\"enableSoftDelete\":true,\"enablePurgeProtection\":null,\"networkAcls\":{\"defaultAction\":\"Allow\",\"bypass\":\"AzureServices\",\"ipRules\":[],\"virtualNetworkRules\":[]}}}"
},
"relatedEvents": []
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment Credential Access

Techniques:
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...
  • T1555 — Credentials from Password Stores — Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make the...