Unsecured Credentials: Private Keys

Adversaries may search for insecurely stored private key certificate files on compromised systems. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures and can be identified by their file extensions: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.

Adversaries may also look in common key directories, such as ~/.ssh for SSH keys on Linux and Unix-based systems or C:\Users\(username)\.ssh\ on Windows. These private keys can be used to authenticate to External Remote Services and Remote Services like SSH or for use in decrypting other collected files such as email.

Adversary tools have been discovered that search compromised systems for file extensions relating to cryptographic keys and certificates.[1][2]

Some private keys require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line.

Procedure Examples

Name Description
APT20

APT20 uses tools like Mimikatz to dump credentials and keys from the victim's machine

Ebury

Ebury has intercepted unencrypted private keys as well as private key pass-phrases.[3]

Facefish

Facefish intercepts the ssh process to steal private keys and credentials and sensitive information about the machine.

Kobalos

The backdoor was after cryptographic keys and was also to replace the legitimate OpenSSH client with a trojanized client that will capture any SSH credentials, keys and target hostname, writing them them to an encrypted file.(Citation: WeLiveSecurity)

Machete

Machete has scanned and looked for cryptographic keys and certificate file extensions for lateral movement.[4]

Mimikatz

Mimikatz's CRYPTO::Extract module can extract keys by interacting with Windows cryptographic application programming interface (API) functions.[5]

Rocke

Rocke looks for SSH keys and attempts to use them in order to infect new machines, move laterally and spread its cryptominer throughout a network.[6][7][8]

TrickBot

TrickBot has a Private Keys grabbing module for OpenSSH and PuTTY.

UNC1945

The group compromised credentials and private keys to enable Lateral Movement and sign into Valid Accounts

UNC2452

UNC2452 obtained the private encryption key from an Active Directory Federation Services (AD FS) container to decrypt corresponding SAML signing certificates.[9]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Monitor access to files and directories related to cryptographic keys and certificates as a means for potentially detecting access patterns that may indicate collection and exfiltration activity. Collect authentication logs and look for potentially abnormal activity that may indicate improper use of keys or certificates for remote authentication.

References

Attachments

ID
VT0017.004
Sub-techniques
Tactic
Credential Access
Platforms
Linux
Windows
macOS
Permissions Required
User
Data Sources
File monitoring
Version
1.0

Created: 27 December 2020

Last Modified: 27 December 2020