Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault.
Secrets managers support the secure centralized management of passwords, API keys, and other credential material. Where secrets managers are in use, cloud services can dynamically acquire credentials via API requests rather than accessing secrets insecurely stored in plain text files or environment variables.
If an adversary is able to gain sufficient privileges in a cloud environment – for example, by obtaining the credentials of high-privileged Cloud Accounts or compromising a service that has permission to retrieve secrets – they may be able to request secrets from the secrets manager. This can be accomplished via commands such as get-secret-value in AWS, gcloud secrets describe in GCP, and az key vault secret show in Azure.(Citation: Permiso Scattered Spider 2023)(Citation: Sysdig ScarletEel 2.0 2023)(Citation: AWS Secrets Manager)(Citation: Google Cloud Secrets)(Citation: Microsoft Azure Key Vault)
Note: this technique is distinct from Cloud Instance Metadata API in that the credentials are being directly requested from the cloud secrets manager, rather than through the medium of the instance metadata API.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1555.006 | Cloud Secrets Management Stores |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1555.006 | Cloud Secrets Management Stores |
Comments
This diagnostic statement protects against Cloud Secrets Management Stores through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1555.006 | Cloud Secrets Management Stores |
Comments
This diagnostic statement protects against Cloud Secrets Management Stores through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-07 | Least Functionality | mitigates | T1555.006 | Cloud Secrets Management Stores | |
| AC-06 | Least Privilege | mitigates | T1555.006 | Cloud Secrets Management Stores | |
| AC-03 | Access Enforcement | mitigates | T1555.006 | Cloud Secrets Management Stores | |
| AC-02 | Account Management | mitigates | T1555.006 | Cloud Secrets Management Stores |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Password dumper | Password dumper (extract credential hashes) | related-to | T1555.006 | Cloud Secrets Management Stores | |
| attribute.confidentiality.data_disclosure | None | related-to | T1555.006 | Cloud Secrets Management Stores |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_key_vault | Azure Key Vault | technique_scores | T1555.006 | Cloud Secrets Management Stores |
Comments
This control may provide a more secure location for storing passwords. If an Azure user account, endpoint, or application is compromised, they may have limited access to passwords stored in the Key Vault.
References
|
| azure_policy | Azure Policy | technique_scores | T1555.006 | Cloud Secrets Management Stores |
Comments
This control may provide recommendations for auditing and hardening Azure Key Vault to prevent malicious access and segment key access.
References
|
| defender_for_key_vault | Microsoft Defender for Key Vault | technique_scores | T1555.006 | Cloud Secrets Management Stores |
Comments
This control may detect suspicious secret access from Azure key vaults.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1555.006 | Cloud Secrets Management Stores |
Comments
Google Security Operations can prevent those with insufficient privileges from accessing the secrets manager, as well as detect modifications to user privileges that may allow them access. This was ranked as partial as it cannot prevent a compromised account with those permissions from accessing the secrets manager.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| aws_secrets_manager | AWS Secrets Manager | technique_scores | T1555.006 | Cloud Secrets Management Stores |
Comments
This control may prevent harvesting of credentials from password stores by providing a secure, finely controlled location for secrets storage. This control is only relevant for credentials that would be used from application and configuration files and not those entered directly by an end user.
References
|