Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.
Adversaries may also look in common key directories, such as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:\Users\(username)\.ssh\</code> on Windows. These private keys can be used to authenticate to Remote Services like SSH or for use in decrypting other collected files such as email.
Adversary tools have been discovered that search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)
Some private keys require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
azure_sentinel | Azure Sentinel | technique_scores | T1552.004 | Private Keys |
Comments
The Azure Sentinel Analytics "ADFS DKM Master Key Export" and "ADFS Key Export (Sysmon)" queries can detect potentially malicious access intended to decrypt access tokens. The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can use modules to extract private key and session information, but does not address other procedures.
The coverage for these queries is minimal (specific to Empire, ADFS) resulting in an overall Minimal score.
References
|
azure_dedicated_hsm | Azure Dedicated HSM | technique_scores | T1552.004 | Private Keys |
Comments
Provides significant protection of private keys.
References
|