Description
Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.
Adversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\ on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)
When a device is registered to Entra ID, a device key and a transport key are generated and used to verify the device’s identity.(Citation: Microsoft Primary Refresh Token) An adversary with access to the device may be able to export the keys in order to impersonate the device.(Citation: AADInternals Azure AD Device Identities)
On network devices, private keys may be exported via Network Device CLI commands such as crypto pki export.(Citation: cisco_deploy_rsa_keys)
Some private keys require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line. These private keys can be used to authenticate to Remote Services like SSH or for use in decrypting other collected files such as email.
Platforms
Mitigations (4)
Password PoliciesM1027
Use strong passphrases for private keys to make cracking difficult.
Restrict File and Directory PermissionsM1022
Ensure permissions are properly set on folders containing sensitive private keys to prevent unintended access. Additionally, on Cisco devices, set the nonexportable flag during RSA key pair generation.(Citation: cisco_deploy_rsa_keys)
AuditM1047
Ensure only authorized keys are allowed access to critical resources and audit access lists regularly.
Encrypt Sensitive InformationM1041
When possible, store keys on separate cryptographic hardware instead of on the local system. For example, on Windows systems use a TPM to secure keys and other sensitive credential material.(Citation: Microsoft Primary Refresh Token)
Threat Groups (6)
| ID | Group | Context |
|---|---|---|
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) enumerate and exfiltrate code-signing certificates from a compromised host.(Citation: CISA S... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has accessed a Local State files associated with Chromium-based browsers that contain the AES key use... |
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has searched for unsecured SSH keys.(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Tren... |
| G1053 | Storm-0501 | [Storm-0501](https://attack.mitre.org/groups/G1053) has leveraged the Azure Owner role to access and steal the Storage Account Access keys using the `... |
| G0106 | Rocke | [Rocke](https://attack.mitre.org/groups/G0106) has used SSH private keys on the infected machine to spread its coinminer throughout a network.(Citatio... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has accessed a Local State file that contains the AES key used to encrypt passwords stored in t... |
Associated Software (11)
| ID | Name | Type | Context |
|---|---|---|---|
| S0409 | Machete | Malware | [Machete](https://attack.mitre.org/software/S0409) has scanned and looked for cryptographic keys and certificate file extensions.(Citation: ESET Mache... |
| S0002 | Mimikatz | Tool | [Mimikatz](https://attack.mitre.org/software/S0002)'s <code>CRYPTO::Extract</code> module can extract keys by interacting with Windows cryptographic a... |
| S0599 | Kinsing | Malware | [Kinsing](https://attack.mitre.org/software/S0599) has searched for private keys.(Citation: Aqua Kinsing April 2020) |
| S0601 | Hildegard | Malware | [Hildegard](https://attack.mitre.org/software/S0601) has searched for private keys in .ssh.(Citation: Unit 42 Hildegard Malware) |
| S1060 | Mafalda | Malware | [Mafalda](https://attack.mitre.org/software/S1060) can collect a Chrome encryption key used to protect browser cookies.(Citation: SentinelLabs Metador... |
| S1196 | Troll Stealer | Malware | [Troll Stealer](https://attack.mitre.org/software/S1196) collects all data in victim `.ssh` folders by creating a compressed copy that is subsequently... |
| S0661 | FoggyWeb | Malware | [FoggyWeb](https://attack.mitre.org/software/S0661) can retrieve token signing certificates and token decryption certificates from a compromised AD FS... |
| S0363 | Empire | Tool | [Empire](https://attack.mitre.org/software/S0363) can use modules like <code>Invoke-SessionGopher</code> to extract private key and session informatio... |
| S0677 | AADInternals | Tool | [AADInternals](https://attack.mitre.org/software/S0677) can gather encryption keys from Azure AD services such as ADSync and Active Directory Federate... |
| S0377 | Ebury | Malware | [Ebury](https://attack.mitre.org/software/S0377) has intercepted unencrypted private keys as well as private key pass-phrases.(Citation: ESET Ebury Fe... |
| S0283 | jRAT | Malware | [jRAT](https://attack.mitre.org/software/S0283) can steal keys for VPNs and cryptocurrency wallets.(Citation: Kaspersky Adwind Feb 2016) |
References
- Bar, T., Conant, S., Efraim, L. (2016, June 28). Prince of Persia – Game Over. Retrieved July 5, 2017.
- Cisco. (2023, February 17). Chapter: Deploying RSA Keys Within a PKI . Retrieved March 27, 2023.
- Dr. Nestori Syynimaa. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved February 21, 2023.
- Kaspersky Labs. (2014, February 11). Unveiling “Careto” - The Masked APT. Retrieved July 5, 2017.
- Microsoft. (2022, September 9). What is a Primary Refresh Token?. Retrieved February 21, 2023.
- Wikipedia. (2017, June 29). Public-key cryptography. Retrieved July 5, 2017.
Frequently Asked Questions
What is T1552.004 (Private Keys)?
T1552.004 is a MITRE ATT&CK technique named 'Private Keys'. It belongs to the Credential Access tactic(s). Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/d...
How can T1552.004 be detected?
Detection of T1552.004 (Private Keys) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1552.004?
There are 4 documented mitigations for T1552.004. Key mitigations include: Password Policies, Restrict File and Directory Permissions, Audit, Encrypt Sensitive Information.
Which threat groups use T1552.004?
Known threat groups using T1552.004 include: Scattered Spider, Kimsuky, TeamTNT, Storm-0501, Rocke, Volt Typhoon.