1. Home
  2. Techniques
  3. Enterprise
  4. Credentials from Password Stores
  5. Cloud Secrets Management Stores

Credentials from Password Stores: Cloud Secrets Management Stores

ID Name
T1555.001 Keychain
T1555.002 Securityd Memory
T1555.003 Credentials from Web Browsers
T1555.004 Windows Credential Manager
T1555.005 Password Managers
T1555.006 Cloud Secrets Management Stores

Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault.

Secrets managers support the secure centralized management of passwords, API keys, and other credential material. Where secrets managers are in use, cloud services can dynamically acquire credentials via API requests rather than accessing secrets insecurely stored in plain text files or environment variables.

If an adversary is able to gain sufficient privileges in a cloud environment – for example, by obtaining the credentials of high-privileged Cloud Accounts or compromising a service that has permission to retrieve secrets – they may be able to request secrets from the secrets manager. This can be accomplished via commands such as get-secret-value in AWS, gcloud secrets describe in GCP, and az key vault secret show in Azure.[1][2][3][4][5]

Note: this technique is distinct from Cloud Instance Metadata API in that the credentials are being directly requested from the cloud secrets manager, rather than through the medium of the instance metadata API.

ID: T1555.006
Sub-technique of:  T1555
Tactic: Credential Access
Platforms: IaaS
Contributors: Martin McCloskey, Datadog
Version: 1.0
Created: 25 September 2023
Last Modified: 15 April 2025
Version Permalink

Procedure Examples

ID Name Description
G0125 HAFNIUM

HAFNIUM has moved laterally from on-premises environments to steal passwords from Azure key vaults.[6]
S1091 Pacu

Pacu can retrieve secrets from the AWS Secrets Manager via the enum_secrets module.[7]
G1053 Storm-0501

Storm-0501 has utilized Azure Key Vault to store the encryption key using the operation Microsoft.KeyVault/Vaults/write.[8]

Mitigations

ID Mitigation Description
M1026 Privileged Account Management

Limit the number of cloud accounts and services with permission to query the secrets manager to only those required. Ensure that accounts and services with permissions to query the secrets manager only have access to the secrets they require.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0130 Detect Unauthorized Access to Cloud Secrets Management Stores AN0366

Detection of suspicious access to cloud-native secret management systems (AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, HashiCorp Vault). Focuses on abnormal secret retrieval activity, such as secrets being accessed by unusual identities, from unexpected regions, outside business hours, or at high volume. Correlates API calls to secret retrieval with surrounding authentication events, role assumptions, and anomalous execution patterns.

References

  1. Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.
  2. Alessandro Brucato. (2023, July 11). SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. Retrieved September 25, 2023.
  3. AWS. (n.d.). Retrieve secrets from AWS Secrets Manager. Retrieved September 25, 2023.
  4. Google Cloud. (n.d.). List secrets and view secret details. Retrieved September 25, 2023.
  1. Microsoft. (2023, January 13). Quickstart: Set and retrieve a secret from Azure Key Vault using Azure CLI. Retrieved September 25, 2023.
  2. Microsoft Threat Intelligence . (2025, March 5). Silk Typhoon targeting IT supply chain. Retrieved March 20, 2025.
  3. Rhino Security Labs. (2019, August 22). Pacu. Retrieved October 17, 2019.
  4. Microsoft Threat Intelligence. (2025, August 27). Storm-0501’s evolving techniques lead to cloud-based ransomware. Retrieved October 19, 2025.