Detect Cloud Secrets Management Stores in Elastic Security
Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault. Secrets managers support the secure centralized management of passwords, API keys, and other credential material. If an adversary gains sufficient privileges in a cloud environment, they may request secrets via API calls such as get-secret-value (AWS), gcloud secrets describe (GCP), and az key vault secret show (Azure). This technique has been used by HAFNIUM, Storm-0501, Scattered Spider, and ScarletEel.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1555 Credentials from Password Stores
- Sub-technique
- T1555.006 Cloud Secrets Management Stores
- Canonical reference
- https://attack.mitre.org/techniques/T1555/006/
Elastic Detection Query
sequence by user.name, source.ip with maxspan=1h
[any where event.dataset in ("aws.cloudtrail", "azure.activitylogs", "gcp.audit")
and (
event.action in ("GetSecretValue", "ListSecrets", "DescribeSecret", "BatchGetSecretValue",
"SecretGet", "SecretList", "VaultGet")
or event.action : ("*AccessSecretVersion*", "*SecretManagerService*")
)
] with runs=10Detects repeated access to cloud secrets management APIs (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager) by the same identity and source IP within a one-hour window. Uses EQL sequence with runs=10 to enforce the threshold consistent with bulk credential harvesting. Deploy as a threshold rule in Elastic Security. Maps to T1555.006 as used by HAFNIUM, Storm-0501, and Scattered Spider.
Data Sources
Required Tables
False Positives & Tuning
- CI/CD pipelines (GitHub Actions, Jenkins, GitLab CI) that retrieve multiple secrets during build or deployment workflows — baseline pipeline service account identities and exclude them by user.name
- Terraform or Pulumi runs performing plan/apply operations that enumerate secrets across an environment — expected during large-scale infrastructure provisioning and identifiable by the requesting user agent
- Automated secret rotation scripts that access current and new secret versions in bulk — typically execute via dedicated rotation service accounts on predictable schedules that can be allowlisted
Other platforms for T1555.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate AWS Secrets Manager secrets
Expected signal: AWS CloudTrail: ListSecrets event followed by GetSecretValue event, both with the caller's IAM identity ARN and source IP. Events appear in CloudTrail within 5-15 minutes.
- Test 2Retrieve Azure Key Vault secret
Expected signal: Azure Key Vault diagnostic logs: SecretList and SecretGet operations with caller IP and identity. Azure AD audit log entry for the service principal or user identity.
- Test 3Access GCP Secret Manager secret
Expected signal: GCP Cloud Audit Log: Admin Activity log for ListSecrets, Data Access log for AccessSecretVersion. Both events contain the principal email and source IP.
References (7)
- https://attack.mitre.org/techniques/T1555/006/
- https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets.html
- https://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-cli
- https://cloud.google.com/secret-manager/docs/view-secret-details
- https://sysdig.com/blog/scarleteel-2-0/
- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.006/T1555.006.md
Unlock Pro Content
Get the full detection package for T1555.006 including response playbook, investigation guide, and atomic red team tests.