title: Cloud Secrets Management Stores (T1555.006)
id: df00tech-t1555-006
status: experimental
description: "Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault. Secrets managers support the secure centralized management of passwords, API keys, and other credential material. If an adversary gains sufficient privileges in a cloud environment, they may request secrets via API calls such as get-secret-value (AWS), gcloud secrets describe (GCP), and az key vault secret show (Azure). This technique has been used by HAFNIUM, Storm-0501, Scattered Spider, and ScarletEel."
references:
  - https://attack.mitre.org/techniques/T1555/006/
  - https://df00tech.com/detections/T1555.006
author: df00tech
date: 2026/04/13
tags:
  - attack.t1555.006
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - CI/CD pipelines that retrieve multiple secrets during deployment operations
  - Application startup routines that batch-load configuration secrets from the secrets manager
  - Secrets rotation automation that accesses all secrets during scheduled rotation cycles
  - "Infrastructure-as-Code tools (Terraform, Pulumi) that read secrets during plan/apply operations"
level: critical