Detect Private Keys in Elastic Security
Adversaries may search for private key and certificate files on compromised systems. Private keys (.key, .pem, .pfx, .p12, .ppk, .pgp, .gpg, .asc) are used for authentication, encryption, and digital signatures. SSH private keys enable key-based lateral movement. TLS/SSL private keys enable HTTPS interception. Code signing certificates enable payload signing for defense evasion. PGP keys decrypt archived data. Adversaries including Machete, Kinsing, Hildegard, Mafalda, and various APT groups actively harvest private keys. Mimikatz's CRYPTO::Extract module extracts keys via Windows CNG API. On network devices, 'crypto pki export' extracts PKI credentials.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1552 Unsecured Credentials
- Sub-technique
- T1552.004 Private Keys
- Canonical reference
- https://attack.mitre.org/techniques/T1552/004/
Elastic Detection Query
any where (
(
event.category == "file" and
event.action in ("open", "read", "copy") and
(
file.extension in ("pem", "pfx", "p12", "key", "ppk", "pgp", "gpg", "asc", "crt", "cer", "p7b") or
file.name in ("id_rsa", "id_ecdsa", "id_ed25519", "id_dsa")
) and
not process.name in ("ssh", "scp", "sftp", "openssl", "gpg", "putty", "curl", "nginx", "apache2", "httpd", "certbot", "backup")
) or
(
event.category == "process" and
event.type == "start" and
(
process.args : ("*.pem", "*.pfx", "*.p12", "*.key", "*.ppk", "*.pgp", "*.gpg", "*id_rsa", "*id_ecdsa", "*id_ed25519") and
(
process.name in ("find", "locate", "grep", "mimikatz", "certutil") or
process.args : ("Get-ChildItem", "dir /s", "findstr", "ls -la")
)
)
)
)Detects adversaries searching for or accessing private key files (.pem, .pfx, .p12, .key, .ppk, .pgp, .gpg, id_rsa, etc.) via file access events or process command-line searches. Covers T1552.004 credential access techniques used by APT groups and tools like Mimikatz.
Data Sources
Required Tables
False Positives & Tuning
- Backup agents (e.g., Veeam, Bacula, Restic) that read certificate stores as part of scheduled system backups
- Certificate renewal automation tools (certbot, acme.sh) that read and update TLS certificates
- DevOps/CI pipelines (Jenkins, GitHub Actions runner) that legitimately clone repos containing .pem or key files for deployment
Other platforms for T1552.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Find SSH Private Keys on Linux
Expected signal: Linux auditd EXECVE records for find with id_rsa and .pem patterns. Multiple OPEN syscalls for each found key file. Process chain visible in auditd.
- Test 2Copy SSH Private Key for Exfiltration
Expected signal: Linux auditd: OPEN for ~/.ssh/id_rsa (read) and /tmp/stolen_key (write). EXECVE for cp and cat commands. File creation event for /tmp/stolen_key.
- Test 3Export Windows Certificate with Private Key via certutil
Expected signal: Sysmon Event ID 1: certutil.exe with -exportPFX, -p (password), and output file path. Sysmon Event ID 11: .pfx file created in C:\Windows\Temp. Windows Security Event 4657 if certificate store auditing enabled.
- Test 4Search for Private Keys with PowerShell
Expected signal: Sysmon Event ID 1: powershell.exe with Get-ChildItem, *.pem, *.pfx, *.ppk patterns. PowerShell ScriptBlock Log Event ID 4104. Multiple file access events for any found key files.
References (6)
- https://attack.mitre.org/techniques/T1552/004/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md
- https://adsecurity.org/?p=2870
- https://www.unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
- https://www.aquasec.com/blog/kinsing-malware-operations/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
Unlock Pro Content
Get the full detection package for T1552.004 including response playbook, investigation guide, and atomic red team tests.