Unsecured Credentials: Private Keys
Adversaries may search for insecurely stored private key certificate files on compromised systems. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures and can be identified by their file extensions: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.
Adversaries may also look in common key directories, such as
~/.ssh for SSH keys on Linux and Unix-based systems or
C:\Users\(username)\.ssh\ on Windows. These private keys can be used to authenticate to External Remote Services and Remote Services like SSH or for use in decrypting other collected files such as email.
APT20 uses tools like Mimikatz to dump credentials and keys from the victim's machine
Facefish intercepts the ssh process to steal private keys and credentials and sensitive information about the machine.
The backdoor was after cryptographic keys and was also to replace the legitimate OpenSSH client with a trojanized client that will capture any SSH credentials, keys and target hostname, writing them them to an encrypted file.(Citation: WeLiveSecurity)
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
Monitor access to files and directories related to cryptographic keys and certificates as a means for potentially detecting access patterns that may indicate collection and exfiltration activity. Collect authentication logs and look for potentially abnormal activity that may indicate improper use of keys or certificates for remote authentication.
- Kaspersky Labs. (2014, February 11). Unveiling “Careto” - The Masked APT. Retrieved July 5, 2017.
- Bar, T., Conant, S., Efraim, L. (2016, June 28). Prince of Persia – Game Over. Retrieved July 5, 2017.
- M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.
- ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
- Metcalf, S. (2015, November 13). Unofficial Guide to Mimikatz & Command Reference. Retrieved December 23, 2015.
- Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
- Unit42, Pro-Ocean: Rocke Groups New Cryptojacking Malware
- Unit 42, Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products
- Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021.
Created: 27 December 2020
Last Modified: 27 December 2020