Detect Cloud Secrets Management Stores in Microsoft Sentinel
Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault. Secrets managers support the secure centralized management of passwords, API keys, and other credential material. If an adversary gains sufficient privileges in a cloud environment, they may request secrets via API calls such as get-secret-value (AWS), gcloud secrets describe (GCP), and az key vault secret show (Azure). This technique has been used by HAFNIUM, Storm-0501, Scattered Spider, and ScarletEel.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1555 Credentials from Password Stores
- Sub-technique
- T1555.006 Cloud Secrets Management Stores
- Canonical reference
- https://attack.mitre.org/techniques/T1555/006/
KQL Detection Query
let AWSSecretOps = dynamic(["GetSecretValue", "ListSecrets", "DescribeSecret", "BatchGetSecretValue"]);
let AzureSecretOps = dynamic(["SecretGet", "SecretList", "Microsoft.KeyVault/vaults/secrets/read", "Microsoft.KeyVault/vaults/secrets/getSecret"]);
let GCPSecretOps = dynamic(["google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion", "google.cloud.secretmanager.v1.SecretManagerService.ListSecrets"]);
CloudAppEvents
| where Timestamp > ago(24h)
| where ActionType has_any (AWSSecretOps) or ActionType has_any (AzureSecretOps) or ActionType has_any (GCPSecretOps)
| summarize SecretAccessCount=count(), UniqueSecrets=dcount(tostring(RawEventData.requestParameters.secretId)),
FirstAccess=min(Timestamp), LastAccess=max(Timestamp)
by AccountDisplayName, IPAddress, Application
| where SecretAccessCount > 10 or UniqueSecrets > 5
| sort by SecretAccessCount descDetects bulk or anomalous access to cloud secrets management stores across AWS Secrets Manager, Azure Key Vault, and GCP Secret Manager. Aggregates secret access events by identity and IP, alerting when an account retrieves more than 10 secrets or accesses more than 5 unique secrets in 24 hours — indicating potential credential harvesting by a compromised identity.
Data Sources
Required Tables
False Positives & Tuning
- CI/CD pipelines that retrieve multiple secrets during deployment operations
- Application startup routines that batch-load configuration secrets from the secrets manager
- Secrets rotation automation that accesses all secrets during scheduled rotation cycles
- Infrastructure-as-Code tools (Terraform, Pulumi) that read secrets during plan/apply operations
Other platforms for T1555.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate AWS Secrets Manager secrets
Expected signal: AWS CloudTrail: ListSecrets event followed by GetSecretValue event, both with the caller's IAM identity ARN and source IP. Events appear in CloudTrail within 5-15 minutes.
- Test 2Retrieve Azure Key Vault secret
Expected signal: Azure Key Vault diagnostic logs: SecretList and SecretGet operations with caller IP and identity. Azure AD audit log entry for the service principal or user identity.
- Test 3Access GCP Secret Manager secret
Expected signal: GCP Cloud Audit Log: Admin Activity log for ListSecrets, Data Access log for AccessSecretVersion. Both events contain the principal email and source IP.
References (7)
- https://attack.mitre.org/techniques/T1555/006/
- https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets.html
- https://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-cli
- https://cloud.google.com/secret-manager/docs/view-secret-details
- https://sysdig.com/blog/scarleteel-2-0/
- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.006/T1555.006.md
Unlock Pro Content
Get the full detection package for T1555.006 including response playbook, investigation guide, and atomic red team tests.