Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0366: Analytic 0366

Detection of suspicious access to cloud-native secret management systems (AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, HashiCorp Vault). Focuses on abnormal secret retrieval activity, such as secrets being accessed by unusual identities, from unexpected regions, outside business hours, or at high volume. Correlates API calls to secret retrieval with surrounding authentication events, role assumptions, and anomalous execution patterns.

EnterpriseAN0366AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN0366 is a cloud detection analytic for spotting suspicious access to secret-management systems such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and HashiCorp Vault in IaaS environments. Its business value is that secrets often unlock databases, applications, service accounts, and automation pipelines; abnormal retrieval can be an early warning that identity or workload access has moved beyond normal operational use.

Executive priority

Treat this as a control-validation priority for cloud resilience and incident readiness. Leaders should ask whether secret access is logged consistently, whether normal access patterns are understood, and whether the SOC can quickly distinguish legitimate automation from unusual identity, region, time-of-day, or high-volume retrieval behavior. This also supports audit and compliance evidence around privileged access monitoring and protection of sensitive credentials.

Technical view

For SOC, detection engineering, and IR teams, validate that cloud secret retrieval API activity is correlated with authentication events, role assumptions, source location or region, timing, identity context, and nearby execution activity. Because no ATT&CK tactic or relationship context is supplied, this should be treated as a behavior-focused cloud analytic rather than tied to a specific adversary phase. Baselines are important: service accounts, CI/CD jobs, and scheduled workloads may legitimately retrieve secrets at volume, while unusual identities, unexpected regions, after-hours access, or sudden spikes should drive triage.

Likely telemetry

  • Cloud secret-management API logs for secret retrieval events
  • Cloud authentication and authorization logs
  • Role assumption and temporary credential usage events
  • Identity, service account, and workload context
  • Source region, location, network, and time-of-day metadata

Detection direction

  • Confirm logging is enabled for the relevant secret-management services in the IaaS environment.
  • Build baselines for expected secret access by human users, service principals, applications, automation, and CI/CD processes.
  • Alert on unusual identity-to-secret access, unexpected region or location, outside-business-hours retrieval, and high-volume access patterns.
  • Correlate retrieval events with authentication, role assumption, and anomalous execution activity before escalating.
  • Tune carefully for legitimate automation and scheduled jobs to reduce false positives.

Mitigation priorities

  • Prioritize least-privilege access to secrets and regularly review which identities can retrieve sensitive values.
  • Separate human and workload identities so abnormal retrieval patterns are easier to identify.
  • Use centralized logging and retention for secret access, authentication, and role assumption events.
  • Define response playbooks for suspected secret exposure, including access review, credential rotation, and containment decisions.
  • Validate alert routing and escalation so high-risk secret access events are reviewed quickly by cloud and IR teams.
Analyst notes and limits

The supplied ATT&CK object describes a detection analytic, not a technique, and provides no tactic mapping, official detection logic, or relationship context. The strongest use is as a cloud monitoring design requirement: ensure secret retrieval activity can be observed, baselined, correlated, and investigated.

This take is limited to the official STIX fields and external reference supplied. It does not establish adversary use, active exploitation, guaranteed detection coverage, or applicability beyond the listed IaaS platform and named secret-management systems. Local cloud architecture, logging configuration, and identity model determine actual coverage.

Official MITRE ATT&CK definition

Analytic 0366

Detection of suspicious access to cloud-native secret management systems (AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, HashiCorp Vault). Focuses on abnormal secret retrieval activity, such as secrets being accessed by unusual identities, from unexpected regions, outside business hours, or at high volume. Correlates API calls to secret retrieval with surrounding authentication events, role assumptions, and anomalous execution patterns.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
3439bd44ab155826...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 3439bd44ab15…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0366
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use