AN1201: Analytic 1201

Detects attempts to access or enumerate cloud password/secrets storage services such as AWS Secrets Manager, Azure Key Vault, or GCP Secret Manager. Monitors API calls for abnormal enumeration or bulk retrieval of secrets.

EnterpriseAN1201AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

AN1201 focuses on detecting unusual access to cloud secrets stores, such as AWS Secrets Manager, Azure Key Vault, and GCP Secret Manager. For executives and security leaders, this matters because secrets stores often protect credentials, API keys, certificates, and other material that can enable broader cloud access if exposed. The business question is not only whether a secrets service exists, but whether the organization can see abnormal enumeration or bulk retrieval attempts before they become an incident-response and continuity problem.

Executive priority

Prioritize this analytic where IaaS environments rely on centralized secrets management. Leaders should ask whether cloud API logging is enabled, retained, and reviewed for secrets-store access; whether SOC teams know what normal secret access looks like; and whether privileged or automated identities have excessive ability to list or retrieve secrets. This is relevant to cloud security, identity governance, incident response readiness, and audit evidence for access monitoring around sensitive credentials.

Technical view

The supplied analytic applies to IaaS and is intended to detect attempts to access or enumerate cloud password and secrets storage services. SOC and detection teams should validate monitoring of cloud control-plane API calls associated with secret listing, description, access, and bulk retrieval patterns across AWS Secrets Manager, Azure Key Vault, and GCP Secret Manager where used. Because no official detection logic or relationship context is provided, teams should baseline expected service accounts, workloads, administrators, and automation that legitimately access secrets, then tune for abnormal volume, unusual principals, unexpected source locations, new access patterns, or broad enumeration across many secrets.

Likely telemetry

Cloud control-plane audit logs for secrets-management services
API call records for secret enumeration, listing, metadata access, and retrieval
Identity and access-management context for users, roles, service accounts, and workload identities
Source context such as IP address, region, account, project, subscription, or tenant where available
Historical baseline of normal secrets-store access by applications, administrators, and automation

Detection direction

Confirm that logging is enabled for the relevant secrets services in each IaaS provider in use.
Build or validate detections for abnormal enumeration or bulk retrieval of secrets, as described by the analytic.
Tune detections against known administrative tasks, deployment pipelines, backup jobs, rotation workflows, and application startup behavior to reduce false positives.
Correlate secrets access with identity context, privilege level, source location, and recent changes to permissions or roles.
Look for coverage gaps in accounts, subscriptions, projects, regions, and tenants that may not send cloud audit data to the SOC.

Mitigation priorities

Inventory where managed secrets services are used and which identities can list or retrieve secrets.
Apply least-privilege access to secrets and separate administrative enumeration rights from runtime retrieval needs where feasible.
Ensure cloud audit logging and retention are sufficient for SOC triage and incident response.
Review high-volume or broad secrets access patterns as part of cloud security and identity governance processes.
Document monitoring coverage and access-review evidence for compliance and readiness assessments.

Analyst notes and limits

This object is a detection analytic, not a full technique description. It provides a clear detection intent around cloud secrets-store access and enumeration, but no ATT&CK tactics, related techniques, detection query, mitigations, or relationships were supplied. Local cloud architecture and identity design are required to decide what is abnormal.

Official detection content is not provided, and there are no supplied relationships. This take is limited to the official description, platform value of IaaS, and the named secrets-management services in the source fields. It does not assert active exploitation, attribution, impact, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Analytic 1201

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: e337f9be3050da6d...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`e337f9be3050…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1201
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use