Find sigma rule
Attack: Unsecured Credentials: Private Keys
Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.
Adversaries may also look in common key directories, such as ~/.ssh
for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\
on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)
When a device is registered to Azure AD, a device key and a transport key are generated and used to verify the device’s identity.(Citation: Microsoft Primary Refresh Token) An adversary with access to the device may be able to export the keys in order to impersonate the device.(Citation: AADInternals Azure AD Device Identities)
On network devices, private keys may be exported via Network Device CLI commands such as crypto pki export
.(Citation: cisco_deploy_rsa_keys)
Some private keys require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line. These private keys can be used to authenticate to Remote Services like SSH or for use in decrypting other collected files such as email.
MITRE
Tactic
- credential-access
technique
- T1552.004
Test : Export Certificates with Mimikatz
OS
- windows
Description:
The following Atomic test will utilize Mimikatz to extract the certificates from the local system My store. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands. A successful attempt will stdout the certificates and write multiple .pfx and .der files to disk.
Executor
command_prompt
Sigma Rule
- proc_creation_win_hktl_mimikatz_command_line.yml (id: a642964e-bead-4bed-8910-1bb4d63e3b4d)