GraphLattice
← All field notes
hashicorp vaultsecrets managementfor responders

Revoke the tree, not the token: a Vault secret-path sweep

An over-broad Vault policy lets one leaked token sweep secrets across every team. Revoke its whole lease tree, then treat every secret it read as already compromised.

· GraphLattice · 2 min read

Vault hands out short lived tokens governed by policies, and a token can mint child tokens and dynamic leases beneath it. When a token carries too broad a policy, one leak reads everything.

How the attack works

A Vault token attached to an over broad policy leaks from an application environment. Because the policy grants read on a wide path glob, the attacker reads many secret paths in a single sweep from a source outside the app’s client range: database creds, API keys, and signing material across teams, far beyond the app’s own mount. The token also requests dynamic database credentials from a secrets engine, creating new leases under its tree, then stages the collected material out to an external endpoint. In ATT&CK terms this is T1552, Unsecured Credentials, paired with T1528, Steal Application Access Token.

Why it works

The token’s policy granted read on a broad path glob spanning many teams’ mounts. One credential should never reach across team boundaries. The wide glob is the entire blast radius.

How to fix it

The scenario teaches that revoking the token alone is not enough, because it has a lease tree. You revoke the whole tree, so every child token and dynamic lease it spawned dies with it. Then rotate every static secret it read, because a read secret is a compromised secret regardless of whether Vault’s storage was breached. Sealing the cluster is an avoidable org wide outage. For the durable fix, scope the policy to least path privilege so it grants only the exact paths the app needs, segment mounts so no single token can span teams, and use short TTLs and response wrapping to limit how long any handed off secret stays usable. The Vault audit device, filtered to the token accessor and window, is the authoritative record of every path requested, because the policy only shows what was possible, not what was actually read.

Practice it

We built this as a GraphLattice Range scenario so responders can rehearse revoking the lease tree and rotating every secret the token read.

More field notes

Browse all →

Vault export equals total blast radius: a password-manager breach

A hijacked admin session exports shared vaults, and every secret inside is now comp…

From firewall to hypervisor: how one edge bug becomes an all-VMs-down day

A single internet-facing firewall bug can end with every virtual machine encrypted …

A disk snapshot is a portable copy: cross-project exfiltration in GCP

An attacker snapshots a sensitive disk and shares it to their own project, mounting…