Find sigma rule
Attack: Unsecured Credentials: Private Keys
Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.
Adversaries may also look in common key directories, such as ~/.ssh
for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\
on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)
When a device is registered to Azure AD, a device key and a transport key are generated and used to verify the device’s identity.(Citation: Microsoft Primary Refresh Token) An adversary with access to the device may be able to export the keys in order to impersonate the device.(Citation: AADInternals Azure AD Device Identities)
On network devices, private keys may be exported via Network Device CLI commands such as crypto pki export
.(Citation: cisco_deploy_rsa_keys)
Some private keys require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line. These private keys can be used to authenticate to Remote Services like SSH or for use in decrypting other collected files such as email.
MITRE
Tactic
- credential-access
technique
- T1552.004
Test : Export Root Certificate with Export-PFXCertificate
OS
- windows
Description:
Creates a Root certificate and exports it with Export-PFXCertificate PowerShell Cmdlet. Upon a successful attempt, this will write a pfx to disk and utilize the Cmdlet Export-PFXCertificate.
Executor
powershell
Sigma Rule
-
proc_creation_win_susp_private_keys_recon.yml (id: 213d6a77-3d55-4ce8-ba74-fcfef741974e)
-
proc_creation_win_powershell_cmdline_convertto_securestring.yml (id: 74403157-20f5-415d-89a7-c505779585cf)
-
proc_creation_win_powershell_export_certificate.yml (id: 9e716b33-63b2-46da-86a4-bd3c3b9b5dfb)
-
posh_ps_export_certificate.yml (id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c)
-
registry_set_install_root_or_ca_certificat.yml (id: d223b46b-5621-4037-88fe-fda32eead684)
-
file_event_win_susp_pfx_file_creation.yml (id: dca1b3e8-e043-4ec8-85d7-867f334b5724)