Edit

Share via

Remediate VM secrets issues

  • Article

Microsoft Defender for Cloud provides secrets scanning for virtual machines (VMs), and for cloud deployments, to reduce lateral movement risk.

This article helps you to identify and remediate security risks with VM secrets.

Prerequisites

Remediate secrets with attack paths

Attack path analysis is a graph-based algorithm that scans your cloud security graph to expose exploitable paths that attackers might use to reach high-impact assets. Defender for Cloud provides several attack paths scenarios for VM secrets.

  1. Sign in to the Azure portal.

  2. Navigate to Microsoft Defender for Cloud > Recommendations > Attack path.

    Screenshot that shows how to navigate to your attack path in Defender for Cloud.

  3. Select the relevant attack path.

  4. Follow the remediation steps to remediate the attack path.

Remediate secrets with recommendations

If a secret is found on your resource, that resource triggers an affiliated recommendation that is located under the Remediate vulnerabilities security control on the Recommendations page. Defender for Cloud provides a number of VM secrets security recommendations.

  1. Sign in to the Azure portal.

  2. Navigate to Microsoft Defender for Cloud > Recommendations.

  3. Expand the Remediate vulnerabilities security control.

  4. Select one of the relevant recommendations.

    • Azure resources: Machines should have secrets findings resolved

    • AWS resources: EC2 instances should have secrets findings resolved

    • GCP resources: VM instances should have secrets findings resolved

      Screenshot that shows either of the two results under the Remediate vulnerabilities security control.

  5. Expand Affected resources to review the list of all resources that contain secrets.

  6. In the Findings section, select a secret to view detailed information about the secret.

    Screenshot that shows the detailed information of a secret after you selected the secret in the findings section.

  7. Expand Remediation steps and follow the listed steps.

  8. Expand Affected resources to review the resources affected by this secret.

  9. (Optional) You can select an affected resource to see the resource's information.

Secrets that don't have a known attack path are referred to as secrets without an identified target resource.

Remediate secrets with cloud security explorer

The cloud security explorer enables you to proactively identify potential security risks within your cloud environment. It does so by querying the cloud security graph, which is the context engine of Defender for Cloud. Cloud security explorer provides a number of query templates for investigating VM secrets issues.

  1. Sign in to the Azure portal.

  2. Navigate to Microsoft Defender for Cloud > Cloud Security Explorer.

  3. Select one of the following templates:

    • VM with plaintext secret that can authenticate to another VM - Returns all Azure VMs, AWS EC2 instances, or GCP VM instances with plaintext secret that can access other VMs or EC2s.
    • VM with plaintext secret that can authenticate to a storage account - Returns all Azure VMs, AWS EC2 instances, or GCP VM instances with plaintext secret that can access storage accounts.
    • VM with plaintext secret that can authenticate to an SQL database - Returns all Azure VMs, AWS EC2 instances, or GCP VM instances with plaintext secret that can access SQL databases.

If you don't want to use any of the available templates, you can also build your own query in the cloud security explorer.

Remediate secrets in the asset inventory

Your asset inventory shows the security posture of the resources you connected to Defender for Cloud. You can view the secrets discovered on a specific machine.

  1. Sign in to the Azure portal.

  2. Navigate to Microsoft Defender for Cloud > Inventory.

  3. Select the relevant VM.

  4. Go to the Secrets tab.

  5. Review each plaintext secret that appears with the relevant metadata.

  6. Select a secret to view extra details of that secret.

Different types of secrets have different sets of additional information. For example, for plaintext SSH private keys, the information includes related public keys (mapping between the private key to the authorized keys’ file we discovered or mapping to a different virtual machine that contains the same SSH private key identifier).