EXPLORE
Sign In
← Back to Explore
T1552.004

Private Keys

Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. Adversaries may also look in common key directories, such as <code>~/.ssh</code> for SSH keys on * nix-based sy...

LinuxmacOSNetwork DevicesWindows
20
Detections
3
Sources
5
Threat Actors

BY SOURCE

8elastic6sigma6splunk_escu

PROCEDURES (19)

Process Creation Monitoring2 detections

Auto-extracted: 2 detections for process creation monitoring

Credential1 detections

Auto-extracted: 1 detections for credential

Powershell1 detections

Auto-extracted: 1 detections for powershell

Api1 detections

Auto-extracted: 1 detections for api

Api1 detections

Auto-extracted: 1 detections for api

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Container1 detections

Auto-extracted: 1 detections for container

Unusual1 detections

Auto-extracted: 1 detections for unusual

Unusual1 detections

Auto-extracted: 1 detections for unusual

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Privilege1 detections

Auto-extracted: 1 detections for privilege

Credential1 detections

Auto-extracted: 1 detections for credential

Container1 detections

Auto-extracted: 1 detections for container

Service1 detections

Auto-extracted: 1 detections for service

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Script Block1 detections

Auto-extracted: 1 detections for script block

Script Block1 detections

Auto-extracted: 1 detections for script block

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Service1 detections

Auto-extracted: 1 detections for service

THREAT ACTORS (5)

RockeScattered SpiderStorm-0501TeamTNTVolt Typhoon

DETECTIONS (20)

Access to a Sensitive LDAP Attribute
elasticmedium
Certificate Exported Via PowerShell
sigmamedium
Certificate Exported Via PowerShell - ScriptBlock
sigmamedium
Cisco Crypto Commands
sigmahigh
Creation or Modification of Domain Backup DPAPI private key
elastichigh
DPAPI Backup Keys And Certificate Export Activity IOC
sigmahigh
Google Workspace Drive Encryption Key(s) Accessed from Anonymous User
elastichigh
Kubelet Certificate File Access Detected via Defend for Containers
elasticlow
Linux Auditd Find Ssh Private Keys
splunk_escu
Linux Auditd Private Keys and Certificate Enumeration
splunk_escu
Potential Privilege Escalation via Linux DAC permissions
elasticlow
PowerShell Get-Process LSASS
sigmahigh
Private Key Searching Activity
elastichigh
Private Keys Reconnaissance Via CommandLine Tools
sigmamedium
Sensitive Keys Or Passwords Search Detected via Defend for Containers
elasticmedium
Suspicious CertUtil Commands
elasticmedium
Windows Export Certificate
splunk_escu
Windows PowerShell Export Certificate
splunk_escu
Windows PowerShell Export PfxCertificate
splunk_escu
Windows Private Keys Discovery
splunk_escu