detection.wiki

Unsecured Credentials: Private Keys T1552.004

Tactic: Credential Access

Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.

Events covered

9 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 11FileCreate
Security-AuditingEvent ID 4624An account was successfully logged on.
Security-AuditingEvent ID 4625An account failed to log on.
Security-AuditingEvent ID 4648A logon was attempted using explicit credentials.
Security-AuditingEvent ID 4662An operation was performed on an object.
Security-AuditingEvent ID 4688A new process has been created.
CertificateServicesClient-Lifecycle-SystemEvent ID 1007A certificate has been exported.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 28 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (38 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine8contains 7, wildcard 3, in 1*.asc*, *.cer*, *.csr*, *.id_rsa*, *.pem
event.type7eq 6, ne 1start, change, deletion
EventID6eq 64104, 1007, 4624, 4662, 4688
EventType6eq 5, in 1exec, CreateKeyPair, ProcessRollup2, copy, download
host.os.type4eq 4
process_name4eq 2, in 2awk, bash, busybox, cat, certutil.exe
ScriptBlockText3contains 3export-certificate, export-pfxcertificate, cmdletstoexport = @(
TargetFilename3ends_with 2, starts_with 2, contains 1.pfx, .cer, .key, /var/lib/kubelet/pki/, \onedrive\codesigning.pfx
process.args3contains 2, in 2, eq 1/bin/awk, /bin/cat, /bin/egrep, /bin/head, ?decode
Image2ends_with 1, eq 1\cmd.exe, \findstr.exe, \powershell.exe, c:\program files (x86)\microsoft onedrive\onedrive.exe, c:\program files\microsoft onedrive\onedrive.exe
OriginalFileName2eq 2certutil.exe, cmd.exe, findstr.exe, powershell.exe
container.id2wildcard 2*
event.category2eq 2process, file
execve_command2in 2*.cer*, *.crt*, *.gpg*, *.key*, *authorized_keys*
process.interactive2eq 2true

Top indicator values (274 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
start
6606
EventTypeeq
exec
3171
CommandLinecontains
dir
28
CommandLinecontains
-encodedcommand
13
EventIDeq
4104
2268
ScriptBlockTextcontains
export-certificate
22
ScriptBlockTextcontains
export-pfxcertificate
22
TargetFilenameends_with
.pfx
22
container.idwildcard
*
225
event.categoryeq
process
2128
execve_commandin
*.key*
22
execve_commandin
*find*
27
execve_commandin
*grep*
27
process.argsin
/bin/awk
25
process.argsin
/bin/cat
25
process.argsin
/bin/sed
25
process.argsin
/usr/bin/awk
25
process.argsin
/usr/bin/cat
25
process.argsin
/usr/bin/sed
25
process.argsin
/usr/local/bin/awk
25
process.argsin
/usr/local/bin/cat
25
process.argsin
/usr/local/bin/sed
25
process.argsin
awk
26
process.argsin
cat
26
process.argsin
sed
26
process.interactiveeq
true
242
process_namein
awk
213
process_namein
cat
223
process_namein
sed
211
sourcetypeeq
auditd
256

Exclusions (97 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
AccessMaskin
0x0
1
AccessMaskin
0x100
1
CommandLinecontains
--cacert
1
CommandLinecontains
--ssl-cert
1
CommandLinecontains
--tls-cert
1
CommandLinecontains
--tls_server_certs
1
EventDatacontains
gc_service.exe
1
EventDatacontains
gc_worker.exe
1
Imageeq
c:\program files (x86)\microsoft onedrive\onedrive.exe
1
Imageeq
c:\program files\microsoft onedrive\onedrive.exe
1
Imagewildcard
/usr/lib/*/lxc/rootfs/*
1
Imagewildcard
?:\program files (x86)\schneider electric ecostruxure\building operation...
1
Imagewildcard
?:\program files\elastic\agent\data\*\osqueryd.exe
1
Imagewildcard
?:\program files\git\cmd\git.exe
1
Imagewildcard
?:\program files\git\mingw64\bin\git.exe
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 7 rules

Elastic 10 rules

Splunk 6 rules

Kusto 1 rule

YARA-L 3 rules

Panther 1 rule