T1552.004 Private Keys Mappings

Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.

Adversaries may also look in common key directories, such as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:&#92;Users&#92;(username)&#92;.ssh&#92;</code> on Windows. These private keys can be used to authenticate to Remote Services like SSH or for use in decrypting other collected files such as email.

Adversary tools have been discovered that search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)

Some private keys require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-16 Security and Privacy Attributes Protects T1552.004 Private Keys
AC-17 Remote Access Protects T1552.004 Private Keys
AC-18 Wireless Access Protects T1552.004 Private Keys
AC-19 Access Control for Mobile Devices Protects T1552.004 Private Keys
AC-2 Account Management Protects T1552.004 Private Keys
AC-20 Use of External Systems Protects T1552.004 Private Keys
CA-7 Continuous Monitoring Protects T1552.004 Private Keys
CA-8 Penetration Testing Protects T1552.004 Private Keys
CM-2 Baseline Configuration Protects T1552.004 Private Keys
CM-6 Configuration Settings Protects T1552.004 Private Keys
IA-2 Identification and Authentication (organizational Users) Protects T1552.004 Private Keys
IA-5 Authenticator Management Protects T1552.004 Private Keys
RA-5 Vulnerability Monitoring and Scanning Protects T1552.004 Private Keys
SA-11 Developer Testing and Evaluation Protects T1552.004 Private Keys
SA-15 Development Process, Standards, and Tools Protects T1552.004 Private Keys
SC-12 Cryptographic Key Establishment and Management Protects T1552.004 Private Keys
SC-28 Protection of Information at Rest Protects T1552.004 Private Keys
SC-4 Information in Shared System Resources Protects T1552.004 Private Keys
SC-7 Boundary Protection Protects T1552.004 Private Keys
SI-12 Information Management and Retention Protects T1552.004 Private Keys
SI-4 System Monitoring Protects T1552.004 Private Keys
SI-7 Software, Firmware, and Information Integrity Protects T1552.004 Private Keys
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1552.004 Unsecured Credentials: Private Keys
attribute.confidentiality.data_disclosure related-to T1552.004 Unsecured Credentials: Private Keys