List Secrets in Secrets Manager
An adversary may attempt to enumerate the secrets in secrets manager, in order to find secrets to access.
aws secretsmanager list-secrets
When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.
eventName:ListSecrets AND eventSource:*.secretsmanager.amazonaws.com
--- title: List Secrets in Secrets Manager id: 40b578f3-5056-42b8-ae6b-13e5b015d817 status: experimental author: Nick Jones date: 2020-06-18 description: An adversary may attempt to enumerate the secrets in secrets manager, in order to find secrets to access. logsource: service: cloudtrail detection: selection_source: - eventSource: "*.secretsmanager.amazonaws.com" events: - eventName: "ListSecrets" condition: selection_source AND events level: low tags: - attack.t1089