T1552.004 Private Keys Mappings

Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.

Adversaries may also look in common key directories, such as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:&#92;Users&#92;(username)&#92;.ssh&#92;</code> on Windows. These private keys can be used to authenticate to Remote Services like SSH or for use in decrypting other collected files such as email.

Adversary tools have been discovered that search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)

Some private keys require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line.

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-16 Security and Privacy Attributes Protects T1552.004 Private Keys
AC-17 Remote Access Protects T1552.004 Private Keys
AC-18 Wireless Access Protects T1552.004 Private Keys
AC-19 Access Control for Mobile Devices Protects T1552.004 Private Keys
AC-2 Account Management Protects T1552.004 Private Keys
AC-20 Use of External Systems Protects T1552.004 Private Keys
CA-7 Continuous Monitoring Protects T1552.004 Private Keys
CA-8 Penetration Testing Protects T1552.004 Private Keys
CM-2 Baseline Configuration Protects T1552.004 Private Keys
CM-6 Configuration Settings Protects T1552.004 Private Keys
IA-2 Identification and Authentication (organizational Users) Protects T1552.004 Private Keys
IA-5 Authenticator Management Protects T1552.004 Private Keys
RA-5 Vulnerability Monitoring and Scanning Protects T1552.004 Private Keys
SA-11 Developer Testing and Evaluation Protects T1552.004 Private Keys
SA-15 Development Process, Standards, and Tools Protects T1552.004 Private Keys
SC-12 Cryptographic Key Establishment and Management Protects T1552.004 Private Keys
SC-28 Protection of Information at Rest Protects T1552.004 Private Keys
SC-4 Information in Shared System Resources Protects T1552.004 Private Keys
SC-7 Boundary Protection Protects T1552.004 Private Keys
SI-12 Information Management and Retention Protects T1552.004 Private Keys
SI-4 System Monitoring Protects T1552.004 Private Keys
SI-7 Software, Firmware, and Information Integrity Protects T1552.004 Private Keys

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1552.004 Unsecured Credentials: Private Keys

AWS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
aws_iot_device_defender AWS IoT Device Defender technique_scores T1552.004 Private Keys
Comments
The following AWS IoT Device Defender audit checks can identify potentially malicious use of private keys associated with AWS IoT devices, which may indicate that the keys have been taken from compromised devices and repurposed by an adversary: "Device certificate shared" ("DEVICE_CERTIFICATE_SHARED_CHECK" in the CLI and API) and "Revoked device certificate still active" ("REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK" in the CLI and API) can indicate that devices are in use with duplicate certificates and/or certificates that have been revoked due to compromise, both of which suggest that an adversary may be misusing stolen private keys. Coverage factor is partial for these checks and mitigations, since they are specific to use of private keys associated with AWS IoT devices, resulting in an overall score of Partial.
References
    aws_key_management_service AWS Key Management Service technique_scores T1552.004 Private Keys
    Comments
    This service allows for securely storing encryption keys and enforcing fine-grained access to the keys. The service does not allow anyone access to retrieve plaintext keys from the service.
    References
      aws_secrets_manager AWS Secrets Manager technique_scores T1552.004 Private Keys
      Comments
      This control may prevent harvesting of unsecured credentials by removing credentials and secrets from applications and configuration files and requiring authenticated API calls to retrieve those credentials and secrets. This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user.
      References
        aws_cloudhsm AWS CloudHSM technique_scores T1552.004 Private Keys
        Comments
        This service allows for securely storing encryption keys and enforcing fine-grained access to the keys. The service does not allow anyone access to retrieve plaintext keys from the service.
        References