Azure Suspect Key Vault Enumeration

Azure Suspect Key Vault Enumeration

Detection overview

Triggers

  • Unusually high number of list or metadata access requests for secrets, certificates, or keys within a short time period.
  • Enumeration attempts by accounts or service principals that have not previously accessed Key Vault resources.
  • Multiple requests within a short duration, suggesting automated or scripted enumeration.

Possible Root Causes

  • Unauthorized Access: A compromised account or service principal is attempting to gather information on available Key Vault resources.
  • Legitimate Security or Compliance Scans: Internal teams may be conducting security assessments, but the activity is unusually high in volume or occurring at atypical times.
  • Automated Enumeration: Internal or external actors may be using automated scripts or tools to list or enumerate Key Vault items for reconnaissance purposes.

Business Impact

  • Enumerating Key Vault resources may enable attackers to identify high-value secrets or keys, increasing the risk of targeted attacks.
  • Results of Key Vault enumeration can inform lateral movement or privilege escalation within the cloud environment.

Steps to Verify

  • Review Key Vault Logs: Check logs for an unusually high frequency of list or metadata access requests focused on secrets, certificates, or keys.
  • Analyze Access Patterns: Verify if the accessing account or service principal shows unusual behavior, such as first-time access or access outside regular hours.
  • Confirm Permissions: Ensure that Key Vault permissions were not recently modified, which could indicate privilege escalation.
  • Actions if Confirmed Suspicious:
    • Limit or revoke permissions for any accounts or service principals involved in the suspicious enumeration activity.
    • Apply temporary restrictions to IPs or regions associated with the unusual access patterns.
    • Conduct a review of Key Vault permissions and access policies to ensure they are properly restricted and monitored.
    • Notify the security team and document the event in the incident management system for follow-up and potential escalation.
Azure Suspect Key Vault Enumeration

Possible root causes

Malicious Detection

Benign Detection

Azure Suspect Key Vault Enumeration

Example scenarios

Azure Suspect Key Vault Enumeration

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Suspect Key Vault Enumeration

Steps to investigate

Azure Suspect Key Vault Enumeration

MITRE ATT&CK techniques covered

Azure Suspect Key Vault Enumeration

Related detections

No items found.

FAQs