Retrieve a High Number of Secrets Manager secrets (Batch)
idempotent
Platform: AWS
MITRE ATT&CK Tactics
- Credential Access
Description
Retrieves a high number of Secrets Manager secrets by batch, through secretsmanager:BatchGetSecretValue (released Novemeber 2023).
An attacker may attempt to retrieve a high number of secrets by batch, to avoid detection and generate fewer calls. Note that the batch size is limited to 20 secrets.
Warm-up:
- Create multiple secrets in Secrets Manager.
Detonation:
- Dump all secrets by batch of 10, using
secretsmanager:BatchGetSecretValue.
References:
Instructions
Detonate with Stratus Red Team
stratus detonate aws.credential-access.secretsmanager-batch-retrieve-secrets
Detection
Identify principals that attempt to retrieve secrets by batch, through CloudTrail's BatchGetSecretValue event. Sample event:
{
"eventSource": "secretsmanager.amazonaws.com",
"eventName": "BatchGetSecretValue",
"requestParameters": {
"filters": [
{
"key": "tag-key",
"values": [
"StratusRedTeam"
]
}
]
},
"responseElements": null,
"readOnly": true,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "012345678901"
}
Although BatchGetSecretValue requires a list of secret IDs or a filter, an attacker may use a catch-all filter to retrieve all secrets by batch:
{
"eventSource": "secretsmanager.amazonaws.com",
"eventName": "BatchGetSecretValue",
"requestParameters": {
"filters": [
{
"key": "tag-key",
"values": [
"!tagKeyThatWillNeverExist"
]
}
]
},
"responseElements": null,
"readOnly": true,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "012345678901"
}
The following may be use to tune the detection, or validate findings:
- Principals who do not usually call GetBatchSecretValue
- Attempts to call GetBatchSecretValue resulting in access denied errors
- Principals calling GetBatchSecretValue in several regions in a short period of time