T1145.md

T1145 - Private Keys

Description from ATT&CK

Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. (Citation: Wikipedia Public Key Crypto)

Adversaries may gather private keys from compromised systems for use in authenticating to Remote Services like SSH or for use in decrypting other collected files such as email. Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. Adversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users(username).ssh</code> on Windows.

Private keys should require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line.

Adversary tools have been discovered that search compromised systems for file extensions relating to cryptographic keys and certificates. (Citation: Kaspersky Careto) (Citation: Palo Alto Prince of Persia)

Atomic Tests

• Atomic Test #1 - Private Keys

• Atomic Test #2 - Discover Private SSH Keys

• Atomic Test #3 - Copy Private SSH Keys with CP

• Atomic Test #4 - Copy Private SSH Keys with rsync

Atomic Test #1 - Private Keys

Find private keys on the Windows file system. File extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, pfx, .cer, .p7b, .asc

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

echo "ATOMICREDTEAM" > %windir%\cert.key
dir c:\ /b /s .key | findstr /e .key

Cleanup Commands:

del c:\Windows\cert.key

Atomic Test #2 - Discover Private SSH Keys

Discover private SSH keys on a macOS or Linux system.

Supported Platforms: macOS, Linux

Inputs:

Name	Description	Type	Default Value
output_file	Output file containing locations of SSH key files	path	/tmp/keyfile_locations.txt

Attack Commands: Run with sh!

find / -name id_rsa >> #{output_file}
find / -name id_dsa >> #{output_file}

Atomic Test #3 - Copy Private SSH Keys with CP

Copy private SSH keys on a Linux system to a staging folder using the cp command.

Supported Platforms: Linux

Inputs:

Name	Description	Type	Default Value
output_folder	Output folder containing copies of SSH private key files	path	/tmp/art-staging

Attack Commands: Run with sh!

mkdir #{output_folder}
find / -name id_rsa -exec cp --parents {} #{output_folder} \;
find / -name id_dsa -exec cp --parents {} #{output_folder} \;

Atomic Test #4 - Copy Private SSH Keys with rsync

Copy private SSH keys on a Linux or macOS system to a staging folder using the rsync command.

Supported Platforms: macOS, Linux

Inputs:

Name	Description	Type	Default Value
output_folder	Output folder containing copies of SSH private key files	path	/tmp/art-staging

Attack Commands: Run with sh!

mkdir #{output_folder}
find / -name id_rsa -exec rsync -R {} #{output_folder} \;
find / -name id_dsa -exec rsync -R {} #{output_folder} \;