Pillaging Keys, Secrets and Certificates from Key Vaults

Pillaging keys, secrets, and certificates from Key Vaults

Explanation

Azure Key Vault is a service for managing application secrets, keys, and certificates in the Azure platform. The primary use case of Key Vault is to provide a secure way for application developers to centrally store sensitive information that their code needs to use at runtime without making that information part of the code. The sensitive information that is commonly stored in Key Vault could be tokens, passwords, data store connection strings, API keys, and other secret types.

Access to a Key Vault resource is controlled through two planes:

1) Management Plane (endpoint URL: management.azure.com)

2) Data Plane (endpoint URL: VAULT-NAME.vault.azure.com)

Management Plane

• The management plane is the endpoint that administrators interact with to perform administrative operations, such as creating and deleting Key Vault instances, retrieving Key Vault properties, and updating access policies.

Data Plane

• The data plane is the interface that applications interact with to access the sensitive information stored in the vault (secrets, keys, and certificates). The operations that can be performed on this plane include reading, adding, deleting, or modifying keys, secrets, and certificates.

When reviewing key vaults, it is important to first look at the access policies to see if your current user account has rights to the vaults. If your user does not have rights to the vaults and you are attempting to stay under the radar, you may want to look at how you can access the vaults with other authorized security principals. In many cases, these rights are applied to automation Run as accounts (see later in this chapter), app registrations, and/or managed identities.

Here are some options for using alternative principals to access key vaults:

• Automation accounts: Create a new runbook that uses the Run as account to access the key vault.

• App registrations: Authenticate as the app registration and access the key vault.

• Managed Identities: Generate REST API tokens for the identity to access the key vault with.

Exfiltrate secrets, keys and certificates in Key Vault

1) Authenticate to Contributor user/role account

Connect-AzAccount

2) Import MicroBurst

Import-Module MicroBurst.psm1

3) Dump out sensitive information from the Key Vault resources

Get-AzPasswords -AutomationAccounts N -AppServices N -Keys Y -ACR N -CosmosDB N -ModifyPolicies Y -Verbose | Out-GridView 

4) When prompted, select the Azure subscription and click OK

• MicroBurst will then enumerate all Key Vault resources, add an access policy to temporarily grant permissions, exfiltrate the information in them, and remove the added access policy. (Hence the Y option to -ModifyPolicies flag)