@inversecos

  Azure Key Vaults are an attractive target for threat actors as it contains information that may allow a threat actor to gain access to sensitive keys / passwords and certificates that can further the attack chain – leading to persistence, lateral movement, and data collection. The Azure Key Vault is often used by developers for managing keys, certificates, and passwords (tokens, API keys and secrets).  The following three permissions below can be abused by a threat actor in this attack chain allowing them access to read secrets in cleartext and modify access policies (i.e. granting read permissions to another malicious account). I would recommend that during Azure audit assessments, that service principals / managed identities / users with access to these three permissions are properly audited: Microsoft.KeyVault/vaults/read  Microsoft.KeyVault/vaults/secrets/read  Microsoft.KeyVault/vaults/accessPolicies/write Attack Conditions  Abuse of Azure Key Vaults requ...