Find sigma rule

Attack: Unsecured Credentials: Private Keys

Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.

Adversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\ on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)

When a device is registered to Azure AD, a device key and a transport key are generated and used to verify the device’s identity.(Citation: Microsoft Primary Refresh Token) An adversary with access to the device may be able to export the keys in order to impersonate the device.(Citation: AADInternals Azure AD Device Identities)

On network devices, private keys may be exported via Network Device CLI commands such as crypto pki export.(Citation: cisco_deploy_rsa_keys)

Some private keys require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line. These private keys can be used to authenticate to Remote Services like SSH or for use in decrypting other collected files such as email.

MITRE

Tactic

credential-access

technique

T1552.004

Test : CertUtil ExportPFX

OS

windows

Description:

The following Atomic test simulates adding a generic non-malicious certificate to the Root certificate store. This behavior generates a registry modification that adds the cloned root CA certificate in the keys outlined in the blog. In addition, this Atomic utilizes CertUtil to export the PFX (ExportPFX), similar to what was seen in the Golden SAML attack. Keys will look like - \SystemCertificates\CA\Certificates or \SystemCertificates\Root\Certificates Reference: https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec Reference: https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html

Executor

powershell

Sigma Rule

proc_creation_win_susp_shell_spawn_susp_program.yml (id: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde)
proc_creation_win_powershell_susp_child_processes.yml (id: e4b6d2a7-d8a4-4f19-acbd-943c16d90647)
proc_creation_win_certutil_export_pfx.yml (id: 3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5)
posh_ps_web_request_cmd_and_cmdlets.yml (id: 1139d2e2-84b1-4226-b445-354492eba8ba)
posh_ps_susp_set_alias.yml (id: 96cd126d-f970-49c4-848a-da3a09f55c55)
registry_set_install_root_or_ca_certificat.yml (id: d223b46b-5621-4037-88fe-fda32eead684)
posh_pm_bad_opsec_artifacts.yml (id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86)
proc_creation_win_powershell_download_cradles.yml (id: 6e897651-f157-4d8f-aaeb-df8151488385)
proc_creation_win_powershell_download_iex.yml (id: 85b0b087-eddf-4a2b-b033-d771fa2b9775)
proc_creation_win_susp_web_request_cmd_and_cmdlets.yml (id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test