Private Keys Reconnaissance Via CommandLine Tools

Adversaries may search for private key certificate files on compromised systems for insecurely stored credential

Sigma rule (View on GitHub)

 1title: Private Keys Reconnaissance Via CommandLine Tools
 2id: 213d6a77-3d55-4ce8-ba74-fcfef741974e
 3status: test
 4description: Adversaries may search for private key certificate files on compromised systems for insecurely stored credential
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.004/T1552.004.md
 7author: frack113, Nasreddine Bencherchali (Nextron Systems)
 8date: 2021/07/20
 9modified: 2023/03/06
10tags:
11    - attack.credential_access
12    - attack.t1552.004
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_cmd_img:
18        - Image|endswith: '\cmd.exe'
19        - OriginalFileName: 'Cmd.Exe'
20    selection_cmd_cli:
21        CommandLine|contains: 'dir '
22    selection_pwsh_img:
23        - Image|endswith:
24              - '\powershell.exe'
25              - '\pwsh.exe'
26        - OriginalFileName:
27              - 'PowerShell.EXE'
28              - 'pwsh.dll'
29    selection_pwsh_cli:
30        CommandLine|contains: 'Get-ChildItem '
31    selection_findstr:
32        - Image|endswith: '\findstr.exe'
33        - OriginalFileName: 'FINDSTR.EXE'
34    selection_ext:
35        CommandLine|contains:
36            - '.key'
37            - '.pgp'
38            - '.gpg'
39            - '.ppk'
40            - '.p12'
41            - '.pem'
42            - '.pfx'
43            - '.cer'
44            - '.p7b'
45            - '.asc'
46    condition: selection_ext and (all of selection_cmd_* or all of selection_pwsh_* or selection_findstr)
47falsepositives:
48    - Unknown
49level: medium

References

Related rules

to-top