Find sigma rule
Attack: Unsecured Credentials: Private Keys
Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.
Adversaries may also look in common key directories, such as ~/.ssh
for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\
on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)
When a device is registered to Azure AD, a device key and a transport key are generated and used to verify the device’s identity.(Citation: Microsoft Primary Refresh Token) An adversary with access to the device may be able to export the keys in order to impersonate the device.(Citation: AADInternals Azure AD Device Identities)
On network devices, private keys may be exported via Network Device CLI commands such as crypto pki export
.(Citation: cisco_deploy_rsa_keys)
Some private keys require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line. These private keys can be used to authenticate to Remote Services like SSH or for use in decrypting other collected files such as email.
MITRE
Tactic
- credential-access
technique
- T1552.004
Test : Export Root Certificate with Export-Certificate
OS
- windows
Description:
Creates a Root certificate and exports it with Export-Certificate PowerShell Cmdlet. Upon a successful attempt, this will write a pfx to disk and utilize the Cmdlet Export-Certificate.
Executor
powershell
Sigma Rule
-
proc_creation_win_powershell_export_certificate.yml (id: 9e716b33-63b2-46da-86a4-bd3c3b9b5dfb)
-
posh_ps_export_certificate.yml (id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c)
-
registry_set_install_root_or_ca_certificat.yml (id: d223b46b-5621-4037-88fe-fda32eead684)