Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.
Adversaries may also look in common key directories, such as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:\Users\(username)\.ssh\</code> on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)
When a device is registered to Azure AD, a device key and a transport key are generated and used to verify the device’s identity.(Citation: Microsoft Primary Refresh Token) An adversary with access to the device may be able to export the keys in order to impersonate the device.(Citation: AADInternals Azure AD Device Identities)
On network devices, private keys may be exported via Network Device CLI commands such as crypto pki export.(Citation: cisco_deploy_rsa_keys)
Some private keys require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line. These private keys can be used to authenticate to Remote Services like SSH or for use in decrypting other collected files such as email.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-aes-ni | Intel Advanced Encryption Standard - New Instructions | Win 11, BitLocker | T1552.004 | Private Keys |
Comments
BitLocker uses TPM (Intel PTT) to bind the volume encryption keys for full disk encryption (FDE), Intel AES-NI to accelerate the encryption/decryption process, and Intel BootGuard to ensure operating system components are not compromised during boot. BitLocker also can add pre-boot authentication (like PIN) to access the decryption keys used for FDE.
BitLocker relies on Intel BootGuard and the TPM (Intel PTT) to ensure none of the boot components or the OS components are tampered with before releasing the BitLocker key.
BitLocker is a Windows security feature that provides encryption for entire volumes, addressing the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. BitLocker also uses Intel PTT to check integrity of early boot components, configuration data as well as OS components preventing attacks that perform modifications of those components.
Data on the encrypted volume can't be accessed without entering the PIN if configured. TPMs (Intel PTT) also have anti-hammering protection that is designed to prevent brute force attacks that attempt to determine the PIN. BitLocker can protect against manipulation of stored data on the drive until it is unlocked.
References
|