Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.[1] Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.
Adversaries may also look in common key directories, such as ~/.ssh
for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\
on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.[2][3]
When a device is registered to Azure AD, a device key and a transport key are generated and used to verify the device’s identity.[4] An adversary with access to the device may be able to export the keys in order to impersonate the device.[5]
On network devices, private keys may be exported via Network Device CLI commands such as crypto pki export
.[6]
Some private keys require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line. These private keys can be used to authenticate to Remote Services like SSH or for use in decrypting other collected files such as email.
ID | Name | Description |
---|---|---|
S0677 | AADInternals |
AADInternals can gather encryption keys from Azure AD services such as ADSync and Active Directory Federated Services servers.[7] |
S0377 | Ebury |
Ebury has intercepted unencrypted private keys as well as private key pass-phrases.[8] |
S0363 | Empire |
Empire can use modules like |
S0661 | FoggyWeb |
FoggyWeb can retrieve token signing certificates and token decryption certificates from a compromised AD FS server.[10] |
S0601 | Hildegard | |
S0283 | jRAT |
jRAT can steal keys for VPNs and cryptocurrency wallets.[12] |
S0599 | Kinsing | |
S0409 | Machete |
Machete has scanned and looked for cryptographic keys and certificate file extensions.[14] |
S1060 | Mafalda |
Mafalda can collect a Chrome encryption key used to protect browser cookies.[15] |
S0002 | Mimikatz |
Mimikatz's |
C0014 | Operation Wocao |
During Operation Wocao, threat actors used Mimikatz to dump certificates and private keys from the Windows certificate store.[17] |
G0106 | Rocke |
Rocke has used SSH private keys on the infected machine to spread its coinminer throughout a network.[18] |
G1015 | Scattered Spider |
Scattered Spider enumerate and exfiltrate code-signing certificates from a compromised host.[19] |
C0024 | SolarWinds Compromise |
During the SolarWinds Compromise, APT29 obtained PKI keys, certificate files, and the private encryption key from an Active Directory Federation Services (AD FS) container to decrypt corresponding SAML signing certificates.[20][21] |
G0139 | TeamTNT |
ID | Mitigation | Description |
---|---|---|
M1047 | Audit |
Ensure only authorized keys are allowed access to critical resources and audit access lists regularly. |
M1041 | Encrypt Sensitive Information |
When possible, store keys on separate cryptographic hardware instead of on the local system. For example, on Windows systems use a TPM to secure keys and other sensitive credential material.[4] |
M1027 | Password Policies |
Use strong passphrases for private keys to make cracking difficult. |
M1022 | Restrict File and Directory Permissions |
Ensure permissions are properly set on folders containing sensitive private keys to prevent unintended access. Additionally, on Cisco devices, set the |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may search for private key certificate files on compromised systems for insecurely stored credentials. |
DS0022 | File | File Access |
Monitor access to files and directories related to cryptographic keys and certificates as a means for potentially detecting access patterns that may indicate collection and exfiltration activity. |