Description
Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault.
Secrets managers support the secure centralized management of passwords, API keys, and other credential material. Where secrets managers are in use, cloud services can dynamically acquire credentials via API requests rather than accessing secrets insecurely stored in plain text files or environment variables.
If an adversary is able to gain sufficient privileges in a cloud environment – for example, by obtaining the credentials of high-privileged Cloud Accounts or compromising a service that has permission to retrieve secrets – they may be able to request secrets from the secrets manager. This can be accomplished via commands such as get-secret-value in AWS, gcloud secrets describe in GCP, and az key vault secret show in Azure.(Citation: Permiso Scattered Spider 2023)(Citation: Sysdig ScarletEel 2.0 2023)(Citation: AWS Secrets Manager)(Citation: Google Cloud Secrets)(Citation: Microsoft Azure Key Vault)
Note: this technique is distinct from Cloud Instance Metadata API in that the credentials are being directly requested from the cloud secrets manager, rather than through the medium of the instance metadata API.
Platforms
Mitigations (1)
Privileged Account ManagementM1026
Limit the number of cloud accounts and services with permission to query the secrets manager to only those required. Ensure that accounts and services with permissions to query the secrets manager only have access to the secrets they require.
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G0125 | HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has moved laterally from on-premises environments to steal passwords from Azure key vaults.(Citation:... |
| G1053 | Storm-0501 | [Storm-0501](https://attack.mitre.org/groups/G1053) has utilized Azure Key Vault to store the encryption key using the operation `Microsoft.KeyVault/V... |
Associated Software (3)
| ID | Name | Type | Context |
|---|---|---|---|
| S9008 | Shai-Hulud | Malware | [Shai-Hulud](https://attack.mitre.org/software/S9008) has gathered secrets from AWS Secrets and GCP Secret Manager.(Citation: Aikido Shai-Hulud Septem... |
| S9009 | TruffleHog | Tool | [TruffleHog](https://attack.mitre.org/software/S9009) can obtain secrets from AWS Secrets and GCP Secret Manager.(Citation: Black Hills Information Se... |
| S1091 | Pacu | Tool | [Pacu](https://attack.mitre.org/software/S1091) can retrieve secrets from the AWS Secrets Manager via the enum_secrets module.(Citation: GitHub Pacu) |
References
- Alessandro Brucato. (2023, July 11). SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. Retrieved September 25, 2023.
- AWS. (n.d.). Retrieve secrets from AWS Secrets Manager. Retrieved September 25, 2023.
- Google Cloud. (n.d.). List secrets and view secret details. Retrieved September 25, 2023.
- Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.
- Microsoft. (2023, January 13). Quickstart: Set and retrieve a secret from Azure Key Vault using Azure CLI. Retrieved September 25, 2023.
Frequently Asked Questions
What is T1555.006 (Cloud Secrets Management Stores)?
T1555.006 is a MITRE ATT&CK technique named 'Cloud Secrets Management Stores'. It belongs to the Credential Access tactic(s). Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault. Secrets managers support the...
How can T1555.006 be detected?
Detection of T1555.006 (Cloud Secrets Management Stores) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1555.006?
There are 1 documented mitigations for T1555.006. Key mitigations include: Privileged Account Management.
Which threat groups use T1555.006?
Known threat groups using T1555.006 include: HAFNIUM, Storm-0501.