Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.
Adversaries may also look in common key directories, such as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:\Users\(username)\.ssh\</code> on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)
When a device is registered to Entra ID, a device key and a transport key are generated and used to verify the device’s identity.(Citation: Microsoft Primary Refresh Token) An adversary with access to the device may be able to export the keys in order to impersonate the device.(Citation: AADInternals Azure AD Device Identities)
On network devices, private keys may be exported via Network Device CLI commands such as crypto pki export.(Citation: cisco_deploy_rsa_keys)
Some private keys require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line. These private keys can be used to authenticate to Remote Services like SSH or for use in decrypting other collected files such as email.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IAM-08 | User Access Review | mitigates | T1552.004 | Private Keys |
Comments
This control describes the periodic review and validation of user access by centralizing access management, automating review processes, and continuously monitoring for unauthorized activities. These mitigative actions ensure that access rights remain appropriate, obsolete or excessive privileges are removed, and potential security access risks are promptly identified and mitigated. For this technique, ensure only authorized keys are allowed access to critical resources and perform automated reviews of access lists regularly.
References
|
| UEM-08 | Storage Encryption | mitigates | T1552.004 | Private Keys |
Comments
This control provides for implementation of endpoint storage encryption. Encryption ensures the confidentiality of data such as credentials, preventing unauthorized access. When possible, keys should be stored on separate cryptographic hardware instead of on the local system.
References
|
| I&S-07 | Migration to Cloud Environments | mitigates | T1552.004 | Private Keys |
Comments
This control provides for the use of secure and encrypted communication
channels when migrating to cloud environments. Encrypting data at all stages, from storage to transmission, ensures the confidentiality of data such as credentials, preventing unauthorized access.
References
|
| CEK-03 | Data Encryption | mitigates | T1552.004 | Private Keys |
Comments
This control provides cryptographic protection for data-at-rest within the cloud environment. Encryption ensures the confidentiality of data such as credentials, preventing unauthorized access. When possible, keys should be stored on separate cryptographic hardware instead of on the local system.
References
|
| IPY-03 | Secure Interoperability and Portability Management | mitigates | T1552.004 | Private Keys |
Comments
This control requires the CSP to encrypt communications using industry-standard protocols, securely manage API certificates and keys, and monitor/patch for vulnerabilities. The guidance for CSC requires it to classify API data, encrypt sensitive information during import/export, use secure protocols, and manage encryption keys independently to mitigate risks of data tampering, loss, or unauthorized access.
References
|