T1552.004: Private Keys
Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.
Adversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\ on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.
When a device is registered to Azure AD, a device key and a transport key are generated and used to verify the device’s identity. An adversary with access to the device may be able to export the keys in order to impersonate the device.
On network devices, private keys may be exported via Network Device CLI commands such as crypto pki export.
Some private keys require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line. These private keys can be used to authenticate to Remote Services like SSH or for use in decrypting other collected files such as email.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mssql_database: PT-CR-411: MSSQL_Dump_Key_Or_Certificate: An attempt to dump an encryption key or database certificate unix_mitre_attck_cred_access: PT-CR-1692: Unix_Private_Keys_Read: Files containing private keys in Unix systems were read mitre_attck_discovery: PT-CR-2458: Dump_Bitlocker_Keys_From_AD: Attempt to access the ms-FVE-RecoveryInformation class and its ms-FVE-VolumeGuid, ms-FVE-KeyPackage, ms-FVE-RecoveryPassword, and ms-FVE-RecoveryGuid attributes containing information about the volumes encrypted using the Windows BitLocker feature as well as the recovery keys. An attacker can use this information to decrypt the protected data.
Detection
| ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may search for private key certificate files on compromised systems for insecurely stored credentials. |
|---|
| ID | DS0022 | Data source and component | File: File Access | Description | Monitor access to files and directories related to cryptographic keys and certificates as a means for potentially detecting access patterns that may indicate collection and exfiltration activity. |
|---|
Mitigation
| ID | M1027 | Name | Password Policies | Description | Use strong passphrases for private keys to make cracking difficult. |
|---|
| ID | M1022 | Name | Restrict File and Directory Permissions | Description | Ensure permissions are properly set on folders containing sensitive private keys to prevent unintended access. Additionally, on Cisco devices, set the |
|---|
| ID | M1047 | Name | Audit | Description | Ensure only authorized keys are allowed access to critical resources and audit access lists regularly. |
|---|
| ID | M1041 | Name | Encrypt Sensitive Information | Description | When possible, store keys on separate cryptographic hardware instead of on the local system. For example, on Windows systems use a TPM to secure keys and other sensitive credential material. |
|---|