Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.
Adversaries may also look in common key directories, such as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:\Users\(username)\.ssh\</code> on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)
When a device is registered to Entra ID, a device key and a transport key are generated and used to verify the device’s identity.(Citation: Microsoft Primary Refresh Token) An adversary with access to the device may be able to export the keys in order to impersonate the device.(Citation: AADInternals Azure AD Device Identities)
On network devices, private keys may be exported via Network Device CLI commands such as crypto pki export.(Citation: cisco_deploy_rsa_keys)
Some private keys require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line. These private keys can be used to authenticate to Remote Services like SSH or for use in decrypting other collected files such as email.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1552.004 | Private Keys |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standard as it applies to the Private Keys technique, when possible, consider storing keys on separate cryptographic hardware instead of on the local system. For example, on Windows systems use a TPM to secure keys and other sensitive credential material.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1552.004 | Private Keys |
Comments
This diagnostic statement protects against Unsecured Credentials: Private Keys through the use of revocation of keys and key management. Employing key protection strategies for key material such as private keys used in protecting credentials, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to compromise credentials.
References
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1552.004 | Private Keys |
Comments
This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries via private key certificate files. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1552.004 | Private Keys |
Comments
This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries via private key certificate files. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1552.004 | Private Keys |
Comments
This diagnostic statement protects against Private Keys through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1552.004 | Private Keys |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standard as it applies to the Private Keys technique, when possible, consider storing keys on separate cryptographic hardware instead of on the local system. For example, on Windows systems use a TPM to secure keys and other sensitive credential material.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Password dumper | Password dumper (extract credential hashes) | related-to | T1552.004 | Private Keys | |
| attribute.confidentiality.data_disclosure | None | related-to | T1552.004 | Private Keys |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_dedicated_hsm | Azure Dedicated HSM | technique_scores | T1552.004 | Private Keys |
Comments
Provides significant protection of private keys.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| cloud_hsm | Cloud Hardware Security Module (HSM) | technique_scores | T1552.004 | Private Keys |
Comments
Google Cloud's HSM may protect against adversary's attempts to compromise private key certificate files (e.g., .key, .pgp, .ppk, .p12). Variations of this technique are difficult to mitigate, so a partial score was granted for this control's medium to high coverage factor.
References
|
| cloud_key_management | Cloud Key Management | technique_scores | T1552.004 | Private Keys |
Comments
This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| aws_cloudhsm | AWS CloudHSM | technique_scores | T1552.004 | Private Keys |
Comments
This service allows for securely storing encryption keys and enforcing fine-grained access to the keys. The service does not allow anyone access to retrieve plaintext keys from the service.
References
|
| aws_iot_device_defender | AWS IoT Device Defender | technique_scores | T1552.004 | Private Keys |
Comments
The following AWS IoT Device Defender audit checks can identify potentially malicious use of private keys associated with AWS IoT devices, which may indicate that the keys have been taken from compromised devices and repurposed by an adversary: "Device certificate shared" ("DEVICE_CERTIFICATE_SHARED_CHECK" in the CLI and API) and "Revoked device certificate still active" ("REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK" in the CLI and API) can indicate that devices are in use with duplicate certificates and/or certificates that have been revoked due to compromise, both of which suggest that an adversary may be misusing stolen private keys.
Coverage factor is partial for these checks and mitigations, since they are specific to use of private keys associated with AWS IoT devices, resulting in an overall score of Partial.
References
|
| aws_key_management_service | AWS Key Management Service | technique_scores | T1552.004 | Private Keys |
Comments
This service allows for securely storing encryption keys and enforcing fine-grained access to the keys. The service does not allow anyone access to retrieve plaintext keys from the service.
References
|
| aws_secrets_manager | AWS Secrets Manager | technique_scores | T1552.004 | Private Keys |
Comments
This control may prevent harvesting of unsecured credentials by removing credentials and secrets from applications and configuration files and requiring authenticated API calls to retrieve those credentials and secrets. This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user.
References
|