Azure Suspicious Key Vault Extraction

Azure Suspicious Key Vault Extraction

Detection overview

Triggers

  • Unusual volumes of secret, certificate, or key exports from Azure Key Vault within a short time period.
  • A new type of credential was accessed from within the Key Vault, which is unusual for the identity.
  • Key Vault objects are accessed by accounts or service principals that have not previously accessed these resources.

Possible Root Causes

  • Unauthorized Access: An attacker may have gained access to a privileged account and is extracting secrets or keys from Key Vault.
  • Backup or Compliance Processes: Scripts or tools may be extracting secrets or certificates as part of backup operations or regulatory compliance requirements.
  • Security or Compliance Testing: Security teams or compliance audits may involve accessing multiple Key Vault items for validation.

Business Impact

  • Exposed secrets or certificates may allow attackers to impersonate trusted services.
  • Stolen credentials could enable lateral movement or privilege escalation within the cloud environment.
  • Potential significant financial impact if extracted keys or secrets are used to deploy or manipulate resources.

Steps to Verify

  • Analyze Key Vault Logs: Check access patterns to secrets, certificates, or keys, focusing on frequency, timing, and source IP addresses.
  • Investigate Account Behavior: Verify if the accessing account or service principal is exhibiting unusual activity and ensure that Key Vault permissions have not been recently modified.
  • If Malicious Actions Are Suspected:
    • Change or disable affected secrets, certificates, or keys to prevent further unauthorized use.
    • Implement temporary network restrictions for unusual IPs or regions involved in the suspicious activity.
    • Review the Key Vault for any additional unauthorized activities and ensure that security policies are properly enforced.
    • Notify security teams and document the event in the incident management system for tracking and follow-up actions.
Azure Suspicious Key Vault Extraction

Possible root causes

Malicious Detection

Benign Detection

Azure Suspicious Key Vault Extraction

Example scenarios

Azure Suspicious Key Vault Extraction

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Suspicious Key Vault Extraction

Steps to investigate

Azure Suspicious Key Vault Extraction

Related detections

No items found.

FAQs