Unsecured Credentials: Private Keys

Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.[1] Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.

Adversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\ on Windows. These private keys can be used to authenticate to Remote Services like SSH or for use in decrypting other collected files such as email.

Adversary tools have been discovered that search compromised systems for file extensions relating to cryptographic keys and certificates.[2][3]

Some private keys require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line.

ID: T1552.004
Sub-technique of:  T1552
Platforms: Linux, Windows, macOS
Permissions Required: User
Contributors: Itzik Kotler, SafeBreach
Version: 1.0
Created: 04 February 2020
Last Modified: 29 March 2020

Procedure Examples

ID Name Description
S0677 AADInternals

AADInternals can gather encryption keys from Azure AD services such as ADSync and Active Directory Federated Services servers.[4]

G0016 APT29

APT29 obtained PKI keys, certificate files and the private encryption key from an Active Directory Federation Services (AD FS) container to decrypt corresponding SAML signing certificates.[5][6]

S0377 Ebury

Ebury has intercepted unencrypted private keys as well as private key pass-phrases.[7]

S0363 Empire

Empire can use modules like Invoke-SessionGopher to extract private key and session information.[8]

S0661 FoggyWeb

FoggyWeb can retrieve token signing certificates and token decryption certificates from a compromised AD FS server.[9]

S0601 Hildegard

Hildegard has searched for private keys in .ssh.[10]

S0283 jRAT

jRAT can steal keys for VPNs and cryptocurrency wallets.[11]

S0599 Kinsing

Kinsing has searched for private keys.[12]

S0409 Machete

Machete has scanned and looked for cryptographic keys and certificate file extensions.[13]

S0002 Mimikatz

Mimikatz's CRYPTO::Extract module can extract keys by interacting with Windows cryptographic application programming interface (API) functions.[14]

G0116 Operation Wocao

Operation Wocao has used Mimikatz to dump certificates and private keys from the Windows certificate store.[15]

G0106 Rocke

Rocke has used SSH private keys on the infected machine to spread its coinminer throughout a network.[16]

G0139 TeamTNT

TeamTNT has searched for unsecured SSH keys.[17][18]

Mitigations

ID Mitigation Description
M1047 Audit

Ensure only authorized keys are allowed access to critical resources and audit access lists regularly.

M1041 Encrypt Sensitive Information

When possible, store keys on separate cryptographic hardware instead of on the local system.

M1027 Password Policies

Use strong passphrases for private keys to make cracking difficult.

M1022 Restrict File and Directory Permissions

Ensure permissions are properly set on folders containing sensitive private keys to prevent unintended access.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Access

Monitor access to files and directories related to cryptographic keys and certificates as a means for potentially detecting access patterns that may indicate collection and exfiltration activity. Collect authentication logs and look for potentially abnormal activity that may indicate improper use of keys or certificates for remote authentication.

References