Private Keys Reconnaissance Via CommandLine Tools
Adversaries may search for private key certificate files on compromised systems for insecurely stored credential
Sigma rule (View on GitHub)
1title: Private Keys Reconnaissance Via CommandLine Tools
2id: 213d6a77-3d55-4ce8-ba74-fcfef741974e
3status: test
4description: Adversaries may search for private key certificate files on compromised systems for insecurely stored credential
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.004/T1552.004.md
7author: frack113, Nasreddine Bencherchali (Nextron Systems)
8date: 2021-07-20
9modified: 2023-03-06
10tags:
11 - attack.credential-access
12 - attack.t1552.004
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_cmd_img:
18 - Image|endswith: '\cmd.exe'
19 - OriginalFileName: 'Cmd.Exe'
20 selection_cmd_cli:
21 CommandLine|contains: 'dir '
22 selection_pwsh_img:
23 - Image|endswith:
24 - '\powershell.exe'
25 - '\pwsh.exe'
26 - OriginalFileName:
27 - 'PowerShell.EXE'
28 - 'pwsh.dll'
29 selection_pwsh_cli:
30 CommandLine|contains: 'Get-ChildItem '
31 selection_findstr:
32 - Image|endswith: '\findstr.exe'
33 - OriginalFileName: 'FINDSTR.EXE'
34 selection_ext:
35 CommandLine|contains:
36 - '.key'
37 - '.pgp'
38 - '.gpg'
39 - '.ppk'
40 - '.p12'
41 - '.pem'
42 - '.pfx'
43 - '.cer'
44 - '.p7b'
45 - '.asc'
46 condition: selection_ext and (all of selection_cmd_* or all of selection_pwsh_* or selection_findstr)
47falsepositives:
48 - Unknown
49level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Certificate Exported Via PowerShell
- Certificate Exported Via PowerShell - ScriptBlock
- Cisco Crypto Commands
- PowerShell Get-Process LSASS
- Suspicious PFX File Creation