Credentials from Password Stores: Cloud Secrets Management Stores

Other sub-techniques of Credentials from Password Stores (6)

ID	Name
T1555.001	Keychain
T1555.002	Securityd Memory
T1555.003	Credentials from Web Browsers
T1555.004	Windows Credential Manager
T1555.005	Password Managers
T1555.006	Cloud Secrets Management Stores

Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault.

Secrets managers support the secure centralized management of passwords, API keys, and other credential material. Where secrets managers are in use, cloud services can dynamically acquire credentials via API requests rather than accessing secrets insecurely stored in plain text files or environment variables.

If an adversary is able to gain sufficient privileges in a cloud environment – for example, by obtaining the credentials of high-privileged Cloud Accounts or compromising a service that has permission to retrieve secrets – they may be able to request secrets from the secrets manager. This can be accomplished via commands such as get-secret-value in AWS, gcloud secrets describe in GCP, and az key vault secret show in Azure.^[1]^[2]^[3]^[4]^[5]

Note: this technique is distinct from Cloud Instance Metadata API in that the credentials are being directly requested from the cloud secrets manager, rather than through the medium of the instance metadata API.

ID: T1555.006

Sub-technique of: T1555

ⓘ

Tactic: Credential Access

ⓘ

Platforms: IaaS

Contributors: Martin McCloskey, Datadog

Version: 1.0

Created: 25 September 2023

Last Modified: 15 October 2024

Version Permalink

Live Version

Procedure Examples

ID	Name	Description
S1091	Pacu	Pacu can retrieve secrets from the AWS Secrets Manager via the enum_secrets module.^[6]

Mitigations

ID	Mitigation	Description
M1026	Privileged Account Management	Limit the number of cloud accounts and services with permission to query the secrets manager to only those required. Ensure that accounts and services with permissions to query the secrets manager only have access to the secrets they require.

Detection

ID Data Source Data Component Detects

ID	Data Source	Data Component	Detects
DS0025	Cloud Service	Cloud Service Enumeration	Monitor for API calls and CLI commands that attempt to enumerate and fetch credential material from the secrets manager, such as `get-secret-value` in AWS, `gcloud secrets describe` in GCP, and `az key vault secret show` in Azure. Alert on any suspicious usages of these commands, such as an account or service generating an unusually high number of secret requests. Analytic 1 - High volume of secret requests from unusual accounts or services. index=cloud_logs sourcetype IN ("aws:cloudtrail", "gcp:logging", "azure:activity")(eventName IN ("GetSecretValue", "gcloud secrets describe", "az key vault secret show"))\| eval User=coalesce(userIdentity.arn, protoPayload.authenticationInfo.principalEmail, claims.user)\| eval Service=coalesce(eventSource, protoPayload.serviceName, claims.aud)\| eval AccountType=case( match(User, "root\|admin\|superuser"), "High-Privilege", match(User, "serviceaccount\|svc\|automation"), "Service-Account", true(), "Standard-User")\| eval Platform=case( sourcetype=="aws:cloudtrail", "AWS", sourcetype=="gcp:logging", "GCP", sourcetype=="azure:activity", "Azure", true(), "Unknown")\| where AccountType != "High-Privilege" Analytic 2 - Cloud Service Enumeration `index=cloud_logs sourcetype IN ("aws:cloudtrail", "gcp:logging", "azure:activity") \| search (sourcetype="aws:cloudtrail" eventName="GetSecretValue" OR sourcetype="gcp:pubsub:message" methodName="google.iam.credentials.v1.*" OR sourcetype="azure:eventhub" operationName="Microsoft.KeyVault/vaults/secrets/read")`

DS0025

Cloud Service

Cloud Service Enumeration

Monitor for API calls and CLI commands that attempt to enumerate and fetch credential material from the secrets manager, such as get-secret-value in AWS, gcloud secrets describe in GCP, and az key vault secret show in Azure. Alert on any suspicious usages of these commands, such as an account or service generating an unusually high number of secret requests.

Analytic 1 - High volume of secret requests from unusual accounts or services.

index=cloud_logs sourcetype IN ("aws:cloudtrail", "gcp:logging", "azure:activity")(eventName IN ("GetSecretValue", "gcloud secrets describe", "az key vault secret show"))| eval User=coalesce(userIdentity.arn, protoPayload.authenticationInfo.principalEmail, claims.user)| eval Service=coalesce(eventSource, protoPayload.serviceName, claims.aud)| eval AccountType=case( match(User, "root|admin|superuser"), "High-Privilege", match(User, "serviceaccount|svc|automation"), "Service-Account", true(), "Standard-User")| eval Platform=case( sourcetype=="aws:cloudtrail", "AWS", sourcetype=="gcp:logging", "GCP", sourcetype=="azure:activity", "Azure", true(), "Unknown")| where AccountType != "High-Privilege"

Analytic 2 - Cloud Service Enumeration

index=cloud_logs sourcetype IN ("aws:cloudtrail", "gcp:logging", "azure:activity") | search (sourcetype="aws:cloudtrail" eventName="GetSecretValue" OR sourcetype="gcp:pubsub:message" methodName="google.iam.credentials.v1.*" OR sourcetype="azure:eventhub" operationName="Microsoft.KeyVault/vaults/secrets/read")

Credentials from Password Stores: Cloud Secrets Management Stores

Other sub-techniques of Credentials from Password Stores (6)

Procedure Examples

Mitigations

Detection

References