T1552.004 Private Keys Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detect private key file access and search
let KeyExtensions = dynamic([".pem", ".pfx", ".p12", ".key", ".ppk", ".pgp", ".gpg", ".asc", ".crt", ".cer", ".p7b"]);
let KeyDirectories = dynamic([".ssh", "ssl", "certs", "certificates", "keys", "private"]);
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileRead", "FileAccessed", "FileCopied")
| where (
    (FileName endswith ".pem" or FileName endswith ".pfx" or FileName endswith ".p12"
     or FileName endswith ".key" or FileName endswith ".ppk" or FileName endswith ".pgp"
     or FileName endswith ".gpg" or FileName endswith ".asc")
    or FileName in~ ("id_rsa", "id_ecdsa", "id_ed25519", "id_dsa")
  )
// Exclude legitimate apps (ssh, scp, openssl) reading their own keys
| where InitiatingProcessFileName !in~ ("ssh", "scp", "sftp", "openssl", "gpg", "putty", "backup.exe")
| project Timestamp, DeviceName, InitiatingProcessAccountName, FolderPath, FileName,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| union (
    // Detect search commands targeting private key file extensions
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where ProcessCommandLine has_any (KeyExtensions)
    | where ProcessCommandLine has_any ("find ", "dir /s", "Get-ChildItem", "ls -la",
                                        "findstr", "locate", "mimikatz")
    | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
)
| sort by Timestamp desc

high severity medium confidence

Data Sources

File: File Access Process: Process Creation Command: Command Execution

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

SSH and SCP clients legitimately reading their own private key files for authentication (ssh -i, scp -i)
Web servers and applications reading their own TLS certificate private keys on startup (Apache, Nginx, IIS)
Certificate management tools (certbot, Let's Encrypt clients) managing certificate lifecycle
Backup agents reading certificate directories as part of full system backup
Key management systems and HSM integration software reading and rotating keys

Splunk

spl

index=wineventlog OR index=linux_audit (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="linux_audit")
(
  sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (
    (CommandLine="*.pem*" OR CommandLine="*.pfx*" OR CommandLine="*.p12*" OR CommandLine="*.ppk*" OR CommandLine="*.pgp*" OR CommandLine="*.gpg*")
    AND
    (Image="*\\mimikatz.exe" OR Image="*\\certutil.exe" OR CommandLine="*find*" OR CommandLine="*Get-ChildItem*" OR CommandLine="*dir /s*")
  )
| eval AlertType="WinKeySearch"
| table _time, host, User, Image, CommandLine, AlertType
)
OR
(
  sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
  (TargetFilename="*.pem" OR TargetFilename="*.pfx" OR TargetFilename="*.p12" OR TargetFilename="*.ppk" OR TargetFilename="*id_rsa" OR TargetFilename="*id_ecdsa" OR TargetFilename="*id_ed25519")
  NOT (Image IN ("*\\ssh.exe", "*\\scp.exe", "*\\openssl.exe", "*\\putty.exe", "*\\backup*"))
| eval AlertType="WinKeyAccess"
| table _time, host, User, Image, TargetFilename, AlertType
)
OR
(
  sourcetype="linux_audit" type=OPEN success="yes"
  (name="*.pem" OR name="*.key" OR name="*.pfx" OR name="*.p12" OR name="*/.ssh/id_rsa" OR name="*/.ssh/id_ecdsa" OR name="*/.ssh/id_ed25519")
  NOT (comm IN ("ssh", "scp", "sftp", "openssl", "curl", "nginx", "apache", "httpd", "certbot"))
| eval AlertType="LinuxKeyAccess"
| table _time, host, auid, comm, name, AlertType
)
| sort - _time

high severity medium confidence

Data Sources

File: File Access Process: Process Creation Sysmon Event ID 1, 11 linux_audit OPEN events

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational linux_audit

False Positives

SSH/SCP clients reading their own private keys for authentication
Web servers reading TLS certificate private keys on startup
Certificate management tools managing certificate lifecycle
Backup agents reading certificate directories
Key management and HSM integration software

Elastic Security (EQL)

eql

any where (
  (
    event.category == "file" and
    event.action in ("open", "read", "copy") and
    (
      file.extension in ("pem", "pfx", "p12", "key", "ppk", "pgp", "gpg", "asc", "crt", "cer", "p7b") or
      file.name in ("id_rsa", "id_ecdsa", "id_ed25519", "id_dsa")
    ) and
    not process.name in ("ssh", "scp", "sftp", "openssl", "gpg", "putty", "curl", "nginx", "apache2", "httpd", "certbot", "backup")
  ) or
  (
    event.category == "process" and
    event.type == "start" and
    (
      process.args : ("*.pem", "*.pfx", "*.p12", "*.key", "*.ppk", "*.pgp", "*.gpg", "*id_rsa", "*id_ecdsa", "*id_ed25519") and
      (
        process.name in ("find", "locate", "grep", "mimikatz", "certutil") or
        process.args : ("Get-ChildItem", "dir /s", "findstr", "ls -la")
      )
    )
  )
)

high severity medium confidence

Data Sources

Elastic Endpoint Security Auditbeat Filebeat (auditd module)

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.process-* auditbeat-*

False Positives

Backup agents (e.g., Veeam, Bacula, Restic) that read certificate stores as part of scheduled system backups
Certificate renewal automation tools (certbot, acme.sh) that read and update TLS certificates
DevOps/CI pipelines (Jenkins, GitHub Actions runner) that legitimately clone repos containing .pem or key files for deployment

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  QIDNAME(qid) AS event_name,
  "processname",
  "filename",
  "command"
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 52, 71, 232, 377)
  AND starttime > NOW() - 86400000
  AND (
    (
      LOWER("filename") LIKE '%.pem'
      OR LOWER("filename") LIKE '%.pfx'
      OR LOWER("filename") LIKE '%.p12'
      OR LOWER("filename") LIKE '%.ppk'
      OR LOWER("filename") LIKE '%.pgp'
      OR LOWER("filename") LIKE '%.gpg'
      OR LOWER("filename") LIKE '%.asc'
      OR LOWER("filename") LIKE '%.key'
      OR LOWER("filename") IN ('id_rsa', 'id_ecdsa', 'id_ed25519', 'id_dsa')
    )
    AND LOWER("processname") NOT IN ('ssh', 'scp', 'sftp', 'openssl', 'gpg', 'curl', 'nginx', 'apache2', 'httpd', 'certbot')
  )
  OR (
    (
      LOWER("command") LIKE '%.pem%'
      OR LOWER("command") LIKE '%.pfx%'
      OR LOWER("command") LIKE '%.p12%'
      OR LOWER("command") LIKE '%.ppk%'
      OR LOWER("command") LIKE '%id_rsa%'
      OR LOWER("command") LIKE '%id_ecdsa%'
    )
    AND (
      LOWER("command") LIKE '%find %'
      OR LOWER("command") LIKE '%locate %'
      OR LOWER("command") LIKE '%get-childitem%'
      OR LOWER("command") LIKE '%dir /s%'
      OR LOWER("command") LIKE '%mimikatz%'
      OR LOWER("processname") LIKE '%certutil%'
    )
  )
ORDER BY starttime DESC
LAST 1 DAYS

high severity medium confidence

Data Sources

Microsoft Windows Sysmon Linux auditd Microsoft Windows Security Event Log

Required Tables

events

False Positives

Scheduled PKI management jobs that rotate and audit TLS certificates across servers
SSH key management platforms (HashiCorp Vault SSH, Teleport) that regularly read and distribute SSH private keys
Security scanners (Tenable, Qualys) performing certificate inventory checks across the environment

Sumo Logic CSE

sql

(_sourceCategory="os/linux/audit" OR _sourceCategory="windows/sysmon" OR _sourceCategory="endpoint/*")
| where (%"event.code" IN ("1", "11") OR type = "OPEN")
| where (
    (%"file.name" matches /(?i)\.(pem|pfx|p12|ppk|pgp|gpg|asc|key|crt|cer|p7b)$/
      OR %"file.name" IN ("id_rsa", "id_ecdsa", "id_ed25519", "id_dsa")
      OR %"winlog.event_data.TargetFilename" matches /(?i)\.(pem|pfx|p12|ppk|pgp|gpg|asc|key|crt|cer)$/
      OR name matches /(?i)(id_rsa|id_ecdsa|id_ed25519|\.pem|\.pfx|\.p12|\.ppk|\.key)$/)
    AND !(comm IN ("ssh", "scp", "sftp", "openssl", "gpg", "curl", "nginx", "apache2", "httpd", "certbot")
      OR %"process.name" IN ("ssh", "scp", "sftp", "openssl", "gpg", "putty", "backup"))
  )
  OR (
    (%"process.command_line" matches /(?i)\.(pem|pfx|p12|ppk|pgp|gpg|asc|key)/
      OR %"winlog.event_data.CommandLine" matches /(?i)\.(pem|pfx|p12|ppk|id_rsa|id_ecdsa)/)
    AND (%"process.command_line" matches /(?i)(find |locate |Get-ChildItem|dir \/s|findstr|mimikatz)/
      OR %"winlog.event_data.CommandLine" matches /(?i)(find |locate |Get-ChildItem|dir \/s|findstr|mimikatz)/)
  )
| eval alert_type = if(%"winlog.event_data.TargetFilename" matches /.*/, "WinKeyAccess",
    if(type = "OPEN", "LinuxKeyAccess", "KeySearch"))
| eval host_field = if(!isNull(%"host.name"), %"host.name", host)
| eval user_field = if(!isNull(%"winlog.event_data.User"), %"winlog.event_data.User",
    if(!isNull(auid), auid, username))
| table _time, host_field, user_field, alert_type, %"process.name", %"process.command_line",
    %"winlog.event_data.TargetFilename", name, comm
| sort by _time desc

high severity medium confidence

Data Sources

Sumo Logic Installed Collector (Sysmon) Sumo Logic Installed Collector (auditd) Sumo Logic Cloud-to-Cloud (Endpoint)

Required Tables

os/linux/audit windows/sysmon endpoint/*

False Positives

Automated certificate lifecycle management tools (Venafi, DigiCert) performing scheduled discovery scans of deployed certificates
System administrators using find or ls commands to audit SSH key distribution across managed hosts
Container orchestration systems (Kubernetes, Docker) mounting and reading TLS secrets during pod initialization

Google Chronicle / SecOps

yaral

rule T1552_004_private_key_access {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects access to or search for private key and certificate files (T1552.004). Covers SSH keys, TLS certs, PGP keys, and PKCS formats accessed by non-standard processes."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1552.004"
    reference = "https://attack.mitre.org/techniques/T1552/004/"
    created = "2026-04-13"

  events:
    (
      $e.metadata.event_type = "FILE_OPEN"
      and (
        re.regex($e.target.file.full_path, `(?i)\.(pem|pfx|p12|ppk|pgp|gpg|asc|key|crt|cer|p7b)$`)
        or re.regex($e.target.file.full_path, `(?i)(id_rsa|id_ecdsa|id_ed25519|id_dsa)$`)
      )
      and not re.regex($e.principal.process.file.full_path,
        `(?i)(\bssh\b|\bscp\b|\bsftp\b|openssl|gpg|putty|certbot|nginx|apache|httpd|backup)`)
    )
    or
    (
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e.target.process.command_line, `(?i)\.(pem|pfx|p12|ppk|pgp|gpg|asc|key|id_rsa|id_ecdsa|id_ed25519)`)
        and re.regex($e.target.process.command_line,
          `(?i)(\bfind\b|\blocate\b|Get-ChildItem|dir /s|findstr|mimikatz)`)
      )
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle (Endpoint Telemetry) Chronicle SIEM UDM CrowdStrike Falcon Chronicle Forwarder Carbon Black Chronicle Forwarder

Required Tables

udm_events

False Positives

Secrets management integrations (HashiCorp Vault Agent, AWS Secrets Manager) that read and rotate TLS certificates on a schedule
Penetration testing tools run by authorized red team operations targeting SSH key stores
Monitoring agents (Datadog, New Relic) that inspect certificate expiry by reading cert files periodically

CrowdStrike LogScale (CQL)

cql

// Detection 1: Private key file access by unexpected processes
#event_simpleName IN ("OperationOfInterest", "SuspiciousFileRead", "EndOfProcess")
| #event_simpleName = "OperationOfInterest"
| TargetFileName = /(?i)\.(pem|pfx|p12|ppk|pgp|gpg|asc|key|crt|cer|p7b)$|\/id_(rsa|ecdsa|ed25519|dsa)$/
| ImageFileName != /(?i)(\\ssh\.exe|\\scp\.exe|\\sftp\.exe|\\openssl\.exe|\\putty\.exe|\/ssh$|\/scp$|\/sftp$|\/openssl$|\/gpg$|certbot|nginx|apache|httpd)/
| groupBy([ComputerName, UserName, ImageFileName, TargetFileName], function=count(aid, as=AccessCount))
| sort(AccessCount, order=desc)

// Detection 2: Process search commands targeting private key extensions
| join
(
  #event_simpleName = "ProcessRollup2"
  | CommandLine = /(?i)\.(pem|pfx|p12|ppk|pgp|gpg|asc|key|id_rsa|id_ecdsa|id_ed25519)/
  | CommandLine = /(?i)(\bfind\b|\blocate\b|Get-ChildItem|dir\ \/s|findstr|mimikatz|certutil)/
  | groupBy([ComputerName, UserName, FileName, CommandLine], function=[
      count(aid, as=SearchCount),
      min(timestamp, as=FirstSeen),
      max(timestamp, as=LastSeen)
    ])
  | sort(SearchCount, order=desc)
  | limit(1000)
), field=ComputerName, include=outer

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection CrowdStrike Falcon Insight XDR

Required Tables

OperationOfInterest ProcessRollup2

False Positives

Enterprise backup solutions (Commvault, Veritas) running as SYSTEM that sweep file systems including certificate directories
IT asset management agents performing software and file inventory scans that enumerate certificate files
Key management service agents (CyberArk, Thycotic) that perform scheduled rotations and discovery of SSH private keys

Private Keys

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections