[metadata] creation_date = "2023/08/21" integration = ["endpoint", "windows", "system"] maturity = "production" updated_date = "2025/03/20" [rule] author = ["Elastic"] building_block_type = "default" description = "Attackers may try to access private keys, e.g. ssh, in order to gain further authenticated access to the environment.\n" from = "now-119m" index = [ "endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.sysmon_operational-*", "winlogbeat-*", ] interval = "60m" language = "eql" license = "Elastic License v2" name = "Attempted Private Key Access" risk_score = 21 rule_id = "c55badd3-3e61-4292-836f-56209dc8a601" severity = "low" tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame", "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and process.command_line : ("*.pem *", "*.pem", "*.id_rsa*") and not process.args : ( "--rootcert", "--cert", "--crlfile" ) and not process.command_line : ( "*--cacert*", "*--ssl-cert*", "*--tls-cert*", "*--tls_server_certs*" ) and not process.executable : ( "?:\\ProgramData\\Logishrd\\LogiOptions\\Software\\*\\LogiLuUpdater.exe", "?:\\Program Files\\Elastic\\Agent\\data\\*\\osqueryd.exe", "?:\\Program Files\\Git\\cmd\\git.exe", "?:\\Program Files\\Git\\mingw64\\bin\\git.exe", "?:\\Program Files\\Guardicore\\gc-controller.exe", "?:\\Program Files\\Guardicore\\gc-deception-agent.exe", "?:\\Program Files\\Guardicore\\gc-detection-agent.exe", "?:\\Program Files\\Guardicore\\gc-enforcement-agent.exe", "?:\\Program Files\\Guardicore\\gc-guest-agent.exe", "?:\\Program Files\\Logi\\LogiBolt\\LogiBoltUpdater.exe", "?:\\Program Files (x86)\\Schneider Electric EcoStruxure\\Building Operation 5.0\\Device Administrator\\Python\\python.exe", "?:\\Program Files\\Splunk\\bin\\openssl.exe", "?:\\Program Files\\SplunkUniversalForwarder\\bin\\openssl.exe", "?:\\Users\\*\\AppData\\Local\\Logi\\LogiBolt\\LogiBoltUpdater.exe", "?:\\Windows\\system32\\icacls.exe", "?:\\Windows\\System32\\OpenSSH\\*" ) ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" [[rule.threat.technique.subtechnique]] id = "T1552.004" name = "Private Keys" reference = "https://attack.mitre.org/techniques/T1552/004/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/"