catalog logoThe IAM Privilege Catalog

risks / Cryptographic exfiltration

Description

Allows an attacker to export cryptographic material from a system. Implies "Account Takeover" when the cryptographic material is an account credential.

Risk: CRITICAL

Exploited in isolation, this risk has the potential to disrupt central organizational operations, destroy trust, or create significant liability. Alternatively, this risk gives attackers access to broadly provisioned identities that enable the above impacts (such as root privilege escalation risks).

Mitigations

  1. Rotate credentials
  2. Avoid secret re-use

Links

  1. https:/​/​attack.mitre.org/​techniques/​T1552/​

Affected Privileges

An attacker may be able to exploit this risk if they gain any of the following privileges:

Amazon Web Services

appsync:ListApiKeys
athena:GetSession
chatbot:GetMicrosoftTeamsOauthParameters
chatbot:GetSlackOauthParameters
chime:CreateApiKey
cloud9:CreateEnvironmentSSH
cloud9:CreateEnvironmentToken
codeartifact:GetAuthorizationToken
codepipeline:PollForJobs
cognito-identity:GetCredentialsForIdentity
cognito-identity:GetOpenIdToken
cognito-identity:GetOpenIdTokenForDeveloperIdentity
cognito-idp:DescribeUserPoolClient
cognito-idp:GetUserAttributeVerificationCode
connect:GetFederationToken
connect:ListSecurityKeys
ec2-instance-connect:SendSSHPublicKey
ec2:GetPasswordData
ecr-public:GetAuthorizationToken
ecr:GetAuthorizationToken
gamelift:GetComputeAuthToken
gamelift:GetGameSessionLogUrl
gamelift:GetInstanceAccess
gamelift:RequestUploadCredentials
iam:CreateAccessKey
iam:CreateLoginProfile
iam:CreateServiceSpecificCredential
iam:ResetServiceSpecificCredential
iam:UpdateAccessKey
lightsail:DownloadDefaultKeyPair
lightsail:GetBucketAccessKeys
lightsail:GetKeyPair
lightsail:GetKeyPairs
lightsail:GetRelationalDatabaseMasterUserPassword
mediapackage:RotateChannelCredentials
mediapackage:RotateIngestEndpointCredentials
rds-db:connect
redshift:GetClusterCredentials
snowball:GetJobUnlockCode
sso-directory:ListBearerTokens
storagegateway:DescribeChapCredentials
sts:AssumeRole
sts:AssumeRoleWithSAML
sts:AssumeRoleWithWebIdentity
sts:GetFederationToken
sts:GetSessionToken
waf-regional:GetChangeToken
waf:GetChangeToken

Google Cloud Platform

container.secrets.get
container.secrets.list
secretmanager.versions.access

Kubernetes

core/secrets.get
core/secrets.list
© 2023–present P0 Security and contributors to the IAM Privilege Catalog