T1552.004 Private Keys Mappings

Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.

Adversaries may also look in common key directories, such as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:&#92;Users&#92;(username)&#92;.ssh&#92;</code> on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)

When a device is registered to Azure AD, a device key and a transport key are generated and used to verify the device’s identity.(Citation: Microsoft Primary Refresh Token) An adversary with access to the device may be able to export the keys in order to impersonate the device.(Citation: AADInternals Azure AD Device Identities)

On network devices, private keys may be exported via Network Device CLI commands such as crypto pki export.(Citation: cisco_deploy_rsa_keys)

Some private keys require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line. These private keys can be used to authenticate to Remote Services like SSH or for use in decrypting other collected files such as email.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-16 Security and Privacy Attributes Protects T1552.004 Private Keys
AC-17 Remote Access Protects T1552.004 Private Keys
AC-18 Wireless Access Protects T1552.004 Private Keys
AC-19 Access Control for Mobile Devices Protects T1552.004 Private Keys
AC-02 Account Management Protects T1552.004 Private Keys
AC-20 Use of External Systems Protects T1552.004 Private Keys
CA-07 Continuous Monitoring Protects T1552.004 Private Keys
CA-08 Penetration Testing Protects T1552.004 Private Keys
CM-02 Baseline Configuration Protects T1552.004 Private Keys
CM-06 Configuration Settings Protects T1552.004 Private Keys
IA-02 Identification and Authentication (organizational Users) Protects T1552.004 Private Keys
IA-05 Authenticator Management Protects T1552.004 Private Keys
RA-05 Vulnerability Monitoring and Scanning Protects T1552.004 Private Keys
SA-11 Developer Testing and Evaluation Protects T1552.004 Private Keys
SA-15 Development Process, Standards, and Tools Protects T1552.004 Private Keys
SC-12 Cryptographic Key Establishment and Management Protects T1552.004 Private Keys
SC-28 Protection of Information at Rest Protects T1552.004 Private Keys
SC-04 Information in Shared System Resources Protects T1552.004 Private Keys
SC-07 Boundary Protection Protects T1552.004 Private Keys
SI-12 Information Management and Retention Protects T1552.004 Private Keys
SI-04 System Monitoring Protects T1552.004 Private Keys
SI-07 Software, Firmware, and Information Integrity Protects T1552.004 Private Keys
DEF-SECA-E3 Security Alerts Technique Scores T1552.004 Private Keys