Cyberattack Bulletin: How Attackers Use Shodan & FOFA

Cyberattack Bulletin: How Attackers Use Shodan & FOFA

Vectra AI Japan、ITR発行の最新レポート内「NDR市場」にて国内トップシェアを獲得
詳細を見る
Hamburger icon top line
Hamburger icon middle line
Hamburger icon bottom line
Back to all detections

Azure Suspect Key Vault Enumeration

Azure Suspect Key Vault Enumeration
Overview
Possible Root Causes
Example Scenarios
Business Impact
Steps to Investigate
MITRE ATT&CK Techniques
Related Detections
FAQ

Detection overview

Triggers

  • Unusually high number of list or metadata access requests for secrets, certificates, or keys within a short time period.
  • Enumeration attempts by accounts or service principals that have not previously accessed Key Vault resources.
  • Multiple requests within a short duration, suggesting automated or scripted enumeration.

Possible Root Causes

  • Unauthorized Access: A compromised account or service principal is attempting to gather information on available Key Vault resources.
  • Legitimate Security or Compliance Scans: Internal teams may be conducting security assessments, but the activity is unusually high in volume or occurring at atypical times.
  • Automated Enumeration: Internal or external actors may be using automated scripts or tools to list or enumerate Key Vault items for reconnaissance purposes.

Business Impact

  • Enumerating Key Vault resources may enable attackers to identify high-value secrets or keys, increasing the risk of targeted attacks.
  • Results of Key Vault enumeration can inform lateral movement or privilege escalation within the cloud environment.

Steps to Verify

  • Review Key Vault Logs: Check logs for an unusually high frequency of list or metadata access requests focused on secrets, certificates, or keys.
  • Analyze Access Patterns: Verify if the accessing account or service principal shows unusual behavior, such as first-time access or access outside regular hours.
  • Confirm Permissions: Ensure that Key Vault permissions were not recently modified, which could indicate privilege escalation.
  • Actions if Confirmed Suspicious:
    • Limit or revoke permissions for any accounts or service principals involved in the suspicious enumeration activity.
    • Apply temporary restrictions to IPs or regions associated with the unusual access patterns.
    • Conduct a review of Key Vault permissions and access policies to ensure they are properly restricted and monitored.
    • Notify the security team and document the event in the incident management system for follow-up and potential escalation.
Azure Suspect Key Vault Enumeration

Possible root causes

Malicious Detection

Benign Detection

Azure Suspect Key Vault Enumeration

Example scenarios

Azure Suspect Key Vault Enumeration

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Suspect Key Vault Enumeration

Steps to investigate

Azure Suspect Key Vault Enumeration

MITRE ATT&CK techniques covered

Active Scanning

T1595
Azure Suspect Key Vault Enumeration

Related detections

No items found.

See our detections in action

Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.

Don't just read about the possibilities – experience them.

Launch the free tour
Ask for a custom demo

FAQs