T1555.006 IBM QRadar · QRadar

Detect Cloud Secrets Management Stores in IBM QRadar

Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault. Secrets managers support the secure centralized management of passwords, API keys, and other credential material. If an adversary gains sufficient privileges in a cloud environment, they may request secrets via API calls such as get-secret-value (AWS), gcloud secrets describe (GCP), and az key vault secret show (Azure). This technique has been used by HAFNIUM, Storm-0501, Scattered Spider, and ScarletEel.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1555 Credentials from Password Stores
Sub-technique
T1555.006 Cloud Secrets Management Stores
Canonical reference
https://attack.mitre.org/techniques/T1555/006/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  username,
  sourceip,
  CASE
    WHEN LOGSOURCETYPENAME(devicetype) LIKE '%CloudTrail%' THEN 'AWS'
    WHEN LOGSOURCETYPENAME(devicetype) LIKE '%Azure%' OR LOGSOURCETYPENAME(devicetype) LIKE '%Microsoft%' THEN 'Azure'
    WHEN LOGSOURCETYPENAME(devicetype) LIKE '%Google%' OR LOGSOURCETYPENAME(devicetype) LIKE '%GCP%' THEN 'GCP'
    ELSE 'Unknown'
  END AS cloud_provider,
  COUNT(*) AS SecretAccessCount,
  COUNT(DISTINCT QIDNAME(qid)) AS UniqueOperationTypes,
  DATEFORMAT(MIN(starttime), 'yyyy-MM-dd HH:mm:ss') AS FirstAccess,
  DATEFORMAT(MAX(starttime), 'yyyy-MM-dd HH:mm:ss') AS LastAccess
FROM events
WHERE
  (
    (
      LOGSOURCETYPENAME(devicetype) LIKE '%CloudTrail%'
      AND QIDNAME(qid) IN ('GetSecretValue', 'ListSecrets', 'DescribeSecret', 'BatchGetSecretValue')
    )
    OR (
      (LOGSOURCETYPENAME(devicetype) LIKE '%Azure%' OR LOGSOURCETYPENAME(devicetype) LIKE '%Microsoft%')
      AND (
        LOWER(QIDNAME(qid)) LIKE '%secretget%'
        OR LOWER(QIDNAME(qid)) LIKE '%keyvault%'
        OR LOWER(QIDNAME(qid)) LIKE '%secretlist%'
      )
    )
    OR (
      (LOGSOURCETYPENAME(devicetype) LIKE '%Google%' OR LOGSOURCETYPENAME(devicetype) LIKE '%GCP%')
      AND (
        QIDNAME(qid) LIKE '%AccessSecretVersion%'
        OR QIDNAME(qid) LIKE '%ListSecrets%'
      )
    )
  )
GROUP BY username, sourceip, cloud_provider
HAVING COUNT(*) > 10
ORDER BY SecretAccessCount DESC
LAST 24 HOURS
high severity medium confidence

AQL query against the QRadar normalised events store that aggregates secrets management API operations from AWS CloudTrail, Azure Activity, and GCP Audit log source types over the trailing 24 hours. Groups by username and source IP to identify principals exceeding 10 qualifying events — a threshold indicative of automated credential harvesting rather than interactive use. UniqueOperationTypes provides secondary signal for breadth of access.

Data Sources

Amazon AWS CloudTrail log source type in QRadarMicrosoft Azure Active Directory / Activity Logs log source type in QRadarGoogle Cloud Platform Audit log source type in QRadar

Required Tables

events

False Positives & Tuning

  • Cloud infrastructure monitoring and CSPM agents (Datadog, Orca, Wiz) that periodically enumerate secrets metadata across all vaults for inventory and misconfiguration scanning — identifiable by consistent scheduling and dedicated service account usernames
  • DevOps toolchains using shared service accounts to resolve secrets during large-scale deployment pipelines spanning dozens of microservices — count spikes correlated with deployment pipeline timing
  • Secrets management middleware with caching disabled (AWS SDK without TTL, HashiCorp Vault Agent in legacy mode) that fetches the same secret on every application request — high frequency from a static IP with a single secret name pattern
Download portable Sigma rule (.yml)

Other platforms for T1555.006

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate AWS Secrets Manager secrets

    Expected signal: AWS CloudTrail: ListSecrets event followed by GetSecretValue event, both with the caller's IAM identity ARN and source IP. Events appear in CloudTrail within 5-15 minutes.

  2. Test 2Retrieve Azure Key Vault secret

    Expected signal: Azure Key Vault diagnostic logs: SecretList and SecretGet operations with caller IP and identity. Azure AD audit log entry for the service principal or user identity.

  3. Test 3Access GCP Secret Manager secret

    Expected signal: GCP Cloud Audit Log: Admin Activity log for ListSecrets, Data Access log for AccessSecretVersion. Both events contain the principal email and source IP.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1555.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1555Credentials from Password Stores

Related Sub-techniques

T1555.001KeychainT1555.002Securityd MemoryT1555.003Credentials from Web BrowsersT1555.004Windows Credential ManagerT1555.005Password Managers

Related Techniques

T1555Credentials from Password StoresT1552.005Cloud Instance Metadata APIT1078.004Cloud AccountsT1098Account ManipulationT1580Cloud Infrastructure DiscoveryT1537Transfer Data to Cloud Account

Same Tactic: Credential Access

Popular Detections