- Home
- Techniques
- Enterprise
- Unsecured Credentials
- Private Keys
Unsecured Credentials: Private Keys
Other sub-techniques of Unsecured Credentials (6)
ID | Name |
---|---|
T1552.001 | Credentials In Files |
T1552.002 | Credentials in Registry |
T1552.003 | Bash History |
T1552.004 | Private Keys |
T1552.005 | Cloud Instance Metadata API |
T1552.006 | Group Policy Preferences |
Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.[1] Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.
Adversaries may also look in common key directories, such as ~/.ssh
for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\
on Windows. These private keys can be used to authenticate to Remote Services like SSH or for use in decrypting other collected files such as email.
Adversary tools have been discovered that search compromised systems for file extensions relating to cryptographic keys and certificates.[2][3]
Some private keys require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line.
Procedure Examples
Name | Description |
---|---|
Ebury |
Ebury has intercepted unencrypted private keys as well as private key pass-phrases.[4] |
Empire |
Empire can use modules like |
jRAT | |
Machete |
Machete has scanned and looked for cryptographic keys and certificate file extensions.[7] |
Mimikatz |
Mimikatz's |
Rocke |
Rocke has used SSH private keys on the infected machine to spread its coinminer throughout a network.[9] |
UNC2452 |
UNC2452 obtained the private encryption key from an Active Directory Federation Services (AD FS) container to decrypt corresponding SAML signing certificates.[10] |
Mitigations
Mitigation | Description |
---|---|
Audit |
Ensure only authorized keys are allowed access to critical resources and audit access lists regularly. |
Encrypt Sensitive Information |
When possible, store keys on separate cryptographic hardware instead of on the local system. |
Password Policies |
Use strong passphrases for private keys to make cracking difficult. |
Restrict File and Directory Permissions |
Ensure permissions are properly set on folders containing sensitive private keys to prevent unintended access. |
Detection
Monitor access to files and directories related to cryptographic keys and certificates as a means for potentially detecting access patterns that may indicate collection and exfiltration activity. Collect authentication logs and look for potentially abnormal activity that may indicate improper use of keys or certificates for remote authentication.
References
- Wikipedia. (2017, June 29). Public-key cryptography. Retrieved July 5, 2017.
- Kaspersky Labs. (2014, February 11). Unveiling “Careto” - The Masked APT. Retrieved July 5, 2017.
- Bar, T., Conant, S., Efraim, L. (2016, June 28). Prince of Persia – Game Over. Retrieved July 5, 2017.
- M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
- ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
- Metcalf, S. (2015, November 13). Unofficial Guide to Mimikatz & Command Reference. Retrieved December 23, 2015.
- Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
- Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021.