security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1145/T1145.md
T
CircleCI Atomic Red Team doc generator 499c751bcc Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-03 13:36:10 +00:00

109 lines
3.6 KiB
Markdown
Raw Blame History

# T1145 - Private Keys
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1145)
<blockquote>Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. (Citation: Wikipedia Public Key Crypto)
Adversaries may gather private keys from compromised systems for use in authenticating to [Remote Services](https://attack.mitre.org/techniques/T1021) like SSH or for use in decrypting other collected files such as email. Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. Adversaries may also look in common key directories, such as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:\Users\(username)\.ssh\</code> on Windows.
Private keys should require a password or passphrase for operation, so an adversary may also use [Input Capture](https://attack.mitre.org/techniques/T1056) for keylogging or attempt to [Brute Force](https://attack.mitre.org/techniques/T1110) the passphrase off-line.
Adversary tools have been discovered that search compromised systems for file extensions relating to cryptographic keys and certificates. (Citation: Kaspersky Careto) (Citation: Palo Alto Prince of Persia)</blockquote>
## Atomic Tests
- [Atomic Test #1 - Private Keys](#atomic-test-1---private-keys)
- [Atomic Test #2 - Discover Private SSH Keys](#atomic-test-2---discover-private-ssh-keys)
- [Atomic Test #3 - Copy Private SSH Keys with CP](#atomic-test-3---copy-private-ssh-keys-with-cp)
- [Atomic Test #4 - Copy Private SSH Keys with rsync](#atomic-test-4---copy-private-ssh-keys-with-rsync)
<br/>
## Atomic Test #1 - Private Keys
Find private keys on the Windows file system.
File extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, pfx, .cer, .p7b, .asc
**Supported Platforms:** Windows
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
```
echo "ATOMICREDTEAM" > %windir%\cert.key
dir c:\ /b /s .key | findstr /e .key
```
<br/>
<br/>
## Atomic Test #2 - Discover Private SSH Keys
Discover private SSH keys on a macOS or Linux system.
**Supported Platforms:** macOS, Linux
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Output file containing locations of SSH key files | path | /tmp/keyfile_locations.txt|
#### Run it with `sh`!
```
find / -name id_rsa >> #{output_file}
find / -name id_dsa >> #{output_file}
```
<br/>
<br/>
## Atomic Test #3 - Copy Private SSH Keys with CP
Copy private SSH keys on a Linux system to a staging folder using the `cp` command.
**Supported Platforms:** Linux
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_folder | Output folder containing copies of SSH private key files | path | /tmp/art-staging|
#### Run it with `sh`!
```
mkdir #{output_folder}
find / -name id_rsa -exec cp --parents {} #{output_folder} \;
find / -name id_dsa -exec cp --parents {} #{output_folder} \;
```
<br/>
<br/>
## Atomic Test #4 - Copy Private SSH Keys with rsync
Copy private SSH keys on a Linux or macOS system to a staging folder using the `rsync` command.
**Supported Platforms:** macOS, Linux
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_folder | Output folder containing copies of SSH private key files | path | /tmp/art-staging|
#### Run it with `sh`!
```
mkdir #{output_folder}
find / -name id_rsa -exec rsync -R {} #{output_folder} \;
find / -name id_dsa -exec rsync -R {} #{output_folder} \;
```
<br/>
Reference in New Issue View Git Blame Copy Permalink