T1552.004 Private Keys
Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.6 Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.
Adversaries may also look in common key directories, such as ~/.ssh
for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\
on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.41
When a device is registered to Azure AD, a device key and a transport key are generated and used to verify the device’s identity.5 An adversary with access to the device may be able to export the keys in order to impersonate the device.3
On network devices, private keys may be exported via Network Device CLI commands such as crypto pki export
.2
Some private keys require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line. These private keys can be used to authenticate to Remote Services like SSH or for use in decrypting other collected files such as email.
Item | Value |
---|---|
ID | T1552.004 |
Sub-techniques | T1552.001, T1552.002, T1552.003, T1552.004, T1552.005, T1552.006, T1552.007, T1552.008 |
Tactics | TA0006 |
Platforms | Linux, Network, Windows, macOS |
Version | 1.1 |
Created | 04 February 2020 |
Last Modified | 12 April 2023 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0677 | AADInternals | AADInternals can gather encryption keys from Azure AD services such as ADSync and Active Directory Federated Services servers.7 |
S0377 | Ebury | Ebury has intercepted unencrypted private keys as well as private key pass-phrases.13 |
S0363 | Empire | Empire can use modules like Invoke-SessionGopher to extract private key and session information.9 |
S0661 | FoggyWeb | FoggyWeb can retrieve token signing certificates and token decryption certificates from a compromised AD FS server.12 |
S0601 | Hildegard | Hildegard has searched for private keys in .ssh.10 |
S0283 | jRAT | jRAT can steal keys for VPNs and cryptocurrency wallets.16 |
S0599 | Kinsing | Kinsing has searched for private keys.14 |
S0409 | Machete | Machete has scanned and looked for cryptographic keys and certificate file extensions.15 |
S1060 | Mafalda | Mafalda can collect a Chrome encryption key used to protect browser cookies.11 |
S0002 | Mimikatz | Mimikatz‘s CRYPTO::Extract module can extract keys by interacting with Windows cryptographic application programming interface (API) functions.8 |
C0014 | Operation Wocao | During Operation Wocao, threat actors used Mimikatz to dump certificates and private keys from the Windows certificate store.22 |
G0106 | Rocke | Rocke has used SSH private keys on the infected machine to spread its coinminer throughout a network.17 |
C0024 | SolarWinds Compromise | During the SolarWinds Compromise, APT29 obtained PKI keys, certificate files, and the private encryption key from an Active Directory Federation Services (AD FS) container to decrypt corresponding SAML signing certificates.2021 |
G0139 | TeamTNT | TeamTNT has searched for unsecured SSH keys.1819 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1047 | Audit | Ensure only authorized keys are allowed access to critical resources and audit access lists regularly. |
M1041 | Encrypt Sensitive Information | When possible, store keys on separate cryptographic hardware instead of on the local system. For example, on Windows systems use a TPM to secure keys and other sensitive credential material.5 |
M1027 | Password Policies | Use strong passphrases for private keys to make cracking difficult. |
M1022 | Restrict File and Directory Permissions | Ensure permissions are properly set on folders containing sensitive private keys to prevent unintended access. Additionally, on Cisco devices, set the nonexportable flag during RSA key pair generation.2 |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0022 | File | File Access |
References
-
Bar, T., Conant, S., Efraim, L. (2016, June 28). Prince of Persia – Game Over. Retrieved July 5, 2017. ↩
-
Cisco. (2023, February 17). Chapter: Deploying RSA Keys Within a PKI . Retrieved March 27, 2023. ↩↩
-
Dr. Nestori Syynimaa. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved February 21, 2023. ↩
-
Kaspersky Labs. (2014, February 11). Unveiling “Careto” - The Masked APT. Retrieved July 5, 2017. ↩
-
Microsoft. (2022, September 9). What is a Primary Refresh Token?. Retrieved February 21, 2023. ↩↩
-
Wikipedia. (2017, June 29). Public-key cryptography. Retrieved July 5, 2017. ↩
-
Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022. ↩
-
Metcalf, S. (2015, November 13). Unofficial Guide to Mimikatz & Command Reference. Retrieved December 23, 2015. ↩
-
Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. ↩
-
Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. ↩
-
Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023. ↩
-
Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021. ↩
-
M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019. ↩
-
Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021. ↩
-
ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. ↩
-
Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019. ↩
-
Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019. ↩
-
Cado Security. (2020, August 16). Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021. ↩
-
Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021. ↩
-
Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021. ↩
-
NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021. ↩
-
Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. ↩