ETS
Home
Created by Claudiu Tabac - © 2026
This material is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
BP-049: Secrets Store / Vault Identity Exposure
Machine Identity Exfiltration - A Critical Breach Pattern
What This Breach Pattern Is
This breach pattern occurs when attackers gain unauthorized access to secrets stores or vault systems that contain critical machine identity credentials. Vault systems centralize storage of service principal credentials, machine identity certificates, workload identity tokens, API keys, database credentials, CI/CD pipeline secrets, signing keys, webhook tokens, and cloud provider access tokens.
Because machine identities—not humans—are the primary consumers of vault systems, compromising a vault often yields machine identity skeleton keys. This results in rapid, uncontrolled compromise of cloud workloads, SaaS integrations, automation agents, service principals, CI/CD pipelines, container orchestrators, and backend services.
Common Vault Targets
  • Azure Key Vault
  • AWS Secrets Manager
  • GCP Secret Manager
  • HashiCorp Vault
  • GitHub Actions Secrets
  • GitLab CI/CD Variables
  • Kubernetes Secrets
  • Jenkins Credentials Store
This is one of the highest-impact breach patterns involving machine identities, enabling attackers to compromise entire identity ecosystems at scale.
Attacker Objectives & Misconfigurations
Primary Attack Goals
  • Impersonate machine identities
  • Authenticate into cloud workloads
  • Escalate privileges across platforms
  • Pivot into CI/CD agents
  • Deploy rogue services
  • Propagate through trust paths
  • Obtain signing keys for persistence
  • Compromise identity ecosystems
Enabling Misconfigurations
MC-521: Vault access policies too broad—workloads granted access to entire stores instead of specific keys
MC-522: Secrets stored in plaintext or config files outside the vault
MC-523: No key rotation policies—secrets valid for months or years
MC-524: Insecure access from CI/CD or automation agents without isolation
Vault access is essentially full machine identity compromise at scale. Attackers leverage exposed secrets to extract sensitive application configuration and move laterally across multi-cloud environments.
Detection Signals
1
DL-024: Unusual Secret Fetches
Machine identities retrieving secrets they don't normally use or accessing vault paths outside their typical behavior patterns.
2
DL-056: Suspicious Machine Authentication
Machine tokens used to access vaults from abnormal locations, times, or network segments indicating potential compromise.
3
DL-041: Abnormal Token Issuance
Vault-aware identities generating excessive tokens or tokens for unexpected services, indicating automated lateral movement.
4
DL-088: Unauthorized Role Escalation
Secrets used to escalate privileges, assume new roles, or access resources beyond original scope of machine identity.
Early detection is critical—vault breaches enable multi-system machine identity compromise within minutes. Monitoring unusual access patterns, authentication anomalies, and privilege escalation attempts provides essential visibility into potential vault exposure.
Attack Chain Mapping & Threat Actors
Identity Attack Chain Stages
01
Stage 3: Credential Acquisition
Initial vault breach and secret extraction
02
Stage 5: Privilege Escalation
Using vault secrets to elevate permissions
03
Stage 7: Lateral Movement
Identity-based pivoting across systems
04
Stage 8: Persistence
Establishing long-term access via identity
05
Stage 9: Action on Objectives
Executing final attack goals
Active Threat Actors
APT29 (ICTAM-001)
Harvests vault secrets to maintain cloud persistence and establish backdoors across enterprise environments.
RaaS Affiliates (ICTAM-020)
Target CI/CD vaults for mass identity access, enabling rapid ransomware deployment.
Supply-Chain Groups (ICTAM-040)
Use vault dumps to pivot across platforms and compromise downstream customers.
Stealer Botnets (ICTAM-030)
Extract secrets stored in local config files for credential harvesting operations.
Executive Storylines & Navigation
1
ETS-003
Machine Token Theft → Cloud Escalation
2
ETS-010
SaaS Integration Exposure → Multi-System Breach
Vault identity exposure represents a critical inflection point in cloud security incidents. Understanding this breach pattern through executive storylines helps security leaders communicate risk, prioritize remediation efforts, and secure machine identity infrastructure against sophisticated adversaries.
About
Created by Claudiu Tabac — © 2026
This framework is open for educational and research use. Commercial use without explicit permission from the author is not allowed.