EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Private Keys Reconnaissance Via CommandLine Tools

Adversaries may search for private key certificate files on compromised systems for insecurely stored credential

MITRE ATT&CK

T1552.004
credential-access

Detection Query

selection_cmd_img:
  - Image|endswith: \cmd.exe
  - OriginalFileName: Cmd.Exe
selection_cmd_cli:
  CommandLine|contains: "dir "
selection_pwsh_img:
  - Image|endswith:
      - \powershell.exe
      - \pwsh.exe
  - OriginalFileName:
      - PowerShell.EXE
      - pwsh.dll
selection_pwsh_cli:
  CommandLine|contains: "Get-ChildItem "
selection_findstr:
  - Image|endswith: \findstr.exe
  - OriginalFileName: FINDSTR.EXE
selection_ext:
  CommandLine|contains:
    - .key
    - .pgp
    - .gpg
    - .ppk
    - .p12
    - .pem
    - .pfx
    - .cer
    - .p7b
    - .asc
condition: selection_ext and (all of selection_cmd_* or all of selection_pwsh_*
  or selection_findstr)

Author

frack113, Nasreddine Bencherchali (Nextron Systems)

Created

2021-07-20

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.credential-accessattack.t1552.004
Raw Content
title: Private Keys Reconnaissance Via CommandLine Tools
id: 213d6a77-3d55-4ce8-ba74-fcfef741974e
status: test
description: Adversaries may search for private key certificate files on compromised systems for insecurely stored credential
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.004/T1552.004.md
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-07-20
modified: 2023-03-06
tags:
    - attack.credential-access
    - attack.t1552.004
logsource:
    category: process_creation
    product: windows
detection:
    selection_cmd_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_cmd_cli:
        CommandLine|contains: 'dir '
    selection_pwsh_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_pwsh_cli:
        CommandLine|contains: 'Get-ChildItem '
    selection_findstr:
        - Image|endswith: '\findstr.exe'
        - OriginalFileName: 'FINDSTR.EXE'
    selection_ext:
        CommandLine|contains:
            - '.key'
            - '.pgp'
            - '.gpg'
            - '.ppk'
            - '.p12'
            - '.pem'
            - '.pfx'
            - '.cer'
            - '.p7b'
            - '.asc'
    condition: selection_ext and (all of selection_cmd_* or all of selection_pwsh_* or selection_findstr)
falsepositives:
    - Unknown
level: medium