T1552.004: Private Keys

Data from MITRE ATT&CK®:

Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.

Adversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\ on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)

When a device is registered to Azure AD, a device key and a transport key are generated and used to verify the device’s identity.(Citation: Microsoft Primary Refresh Token) An adversary with access to the device may be able to export the keys in order to impersonate the device.(Citation: AADInternals Azure AD Device Identities)

On network devices, private keys may be exported via Network Device CLI commands such as crypto pki export.(Citation: cisco_deploy_rsa_keys)

Some private keys require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line. These private keys can be used to authenticate to Remote Services like SSH or for use in decrypting other collected files such as email.

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Encrypt Sensitive Information

Protect sensitive information with strong encryption.

Password Policies

Set and enforce secure password policies for accounts.

Restrict File and Directory Permissions

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.

Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

Command Execution (Command)

The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )

File Access (File)

Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)

Private Keys

windows

Export Root Certificate with Export-Certificate

windows

Copy Private SSH Keys with CP (freebsd)

linux

Export Certificates with Mimikatz

windows

Copy the users GnuPG directory with rsync

macos linux

Discover Private SSH Keys

linux macos

Export Root Certificate with Export-PFXCertificate

windows

Copy Private SSH Keys with CP

linux

ADFS token signing and encryption certificates theft - Remote

windows

Copy the users GnuPG directory with rsync (freebsd)

linux

ADFS token signing and encryption certificates theft - Local

windows

CertUtil ExportPFX

windows

Copy Private SSH Keys with rsync (freebsd)

linux

Copy Private SSH Keys with rsync

macos linux

Suspicious PFX File Creation

windows file event

Cisco Crypto Commands

cisco

Certificate Exported Via PowerShell - ScriptBlock

windows ps script

Private Keys Reconnaissance Via CommandLine Tools

windows process creation

PowerShell Get-Process LSASS

windows process creation

Certificate Exported Via PowerShell

windows process creation