T1555.006 Google Chronicle · YARA-L

Detect Cloud Secrets Management Stores in Google Chronicle

Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault. Secrets managers support the secure centralized management of passwords, API keys, and other credential material. If an adversary gains sufficient privileges in a cloud environment, they may request secrets via API calls such as get-secret-value (AWS), gcloud secrets describe (GCP), and az key vault secret show (Azure). This technique has been used by HAFNIUM, Storm-0501, Scattered Spider, and ScarletEel.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1555 Credentials from Password Stores
Sub-technique
T1555.006 Cloud Secrets Management Stores
Canonical reference
https://attack.mitre.org/techniques/T1555/006/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1555_006_cloud_secrets_excessive_access {
  meta:
    author = "Detection Engineering"
    description = "Detects excessive access to cloud secrets management APIs across AWS Secrets Manager, Azure Key Vault, and GCP Secret Manager within a one-hour window, consistent with bulk credential harvesting by threat actors including HAFNIUM, Storm-0501, and Scattered Spider."
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1555.006"
    severity = "HIGH"
    confidence = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1555/006/"
    created = "2025-01-01"
    version = "1.0"

  events:
    (
      (
        $e.metadata.vendor_name = "Amazon Web Services" and
        $e.metadata.product_event_type in (
          "GetSecretValue",
          "ListSecrets",
          "DescribeSecret",
          "BatchGetSecretValue"
        )
      ) or
      (
        $e.metadata.vendor_name = "Microsoft Azure" and
        $e.metadata.product_event_type in (
          "SecretGet",
          "SecretList",
          "VaultGet"
        )
      ) or
      (
        $e.metadata.vendor_name = "Google Cloud Platform" and
        re.regex(
          $e.metadata.product_event_type,
          `google\.cloud\.secretmanager\.v1\.SecretManagerService\.(AccessSecretVersion|ListSecrets)`
        )
      )
    )
    $user = $e.principal.user.userid
    $ip = $e.principal.ip

  match:
    $user, $ip over 1h

  condition:
    #e > 10
}
high severity medium confidence

Chronicle YARA-L 2.0 rule that correlates secrets management API events in the UDM stream across all three major cloud providers. The match section groups by principal user ID and IP address over a one-hour sliding window; the condition fires when more than 10 qualifying events are observed for the same actor, providing a low-noise signal for automated credential harvesting distinct from routine application use.

Data Sources

AWS CloudTrail ingested into Chronicle (vendor_name: Amazon Web Services)Azure Monitor Activity Logs ingested into Chronicle (vendor_name: Microsoft Azure)GCP Cloud Audit Logs via native Chronicle integration (vendor_name: Google Cloud Platform)

Required Tables

Chronicle UDM event store (cloud audit log feed)

False Positives & Tuning

  • Kubernetes secret-sync operators (External Secrets Operator, Secrets Store CSI Driver) reconciling a large number of Kubernetes secrets from cloud vaults during cluster bootstrap or rapid pod autoscaling events — these identities have predictable naming conventions and cluster source IPs
  • Multi-cloud observability and APM platforms authenticating to multiple secrets stores at startup to retrieve instrumentation credentials, producing a burst of access events from a single service account during deployment windows
  • Authorised penetration testing or red team exercises operating within scope against the organisation's cloud environment — cross-reference principal.user.userid against approved testing accounts and change management records before escalating
Download portable Sigma rule (.yml)

Other platforms for T1555.006

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate AWS Secrets Manager secrets

    Expected signal: AWS CloudTrail: ListSecrets event followed by GetSecretValue event, both with the caller's IAM identity ARN and source IP. Events appear in CloudTrail within 5-15 minutes.

  2. Test 2Retrieve Azure Key Vault secret

    Expected signal: Azure Key Vault diagnostic logs: SecretList and SecretGet operations with caller IP and identity. Azure AD audit log entry for the service principal or user identity.

  3. Test 3Access GCP Secret Manager secret

    Expected signal: GCP Cloud Audit Log: Admin Activity log for ListSecrets, Data Access log for AccessSecretVersion. Both events contain the principal email and source IP.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1555.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1555Credentials from Password Stores

Related Sub-techniques

T1555.001KeychainT1555.002Securityd MemoryT1555.003Credentials from Web BrowsersT1555.004Windows Credential ManagerT1555.005Password Managers

Related Techniques

T1555Credentials from Password StoresT1552.005Cloud Instance Metadata APIT1078.004Cloud AccountsT1098Account ManipulationT1580Cloud Infrastructure DiscoveryT1537Transfer Data to Cloud Account

Same Tactic: Credential Access

Popular Detections