T1552.004 Sumo Logic CSE · Sumo

Detect Private Keys in Sumo Logic CSE

Adversaries may search for private key and certificate files on compromised systems. Private keys (.key, .pem, .pfx, .p12, .ppk, .pgp, .gpg, .asc) are used for authentication, encryption, and digital signatures. SSH private keys enable key-based lateral movement. TLS/SSL private keys enable HTTPS interception. Code signing certificates enable payload signing for defense evasion. PGP keys decrypt archived data. Adversaries including Machete, Kinsing, Hildegard, Mafalda, and various APT groups actively harvest private keys. Mimikatz's CRYPTO::Extract module extracts keys via Windows CNG API. On network devices, 'crypto pki export' extracts PKI credentials.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1552 Unsecured Credentials
Sub-technique
T1552.004 Private Keys
Canonical reference
https://attack.mitre.org/techniques/T1552/004/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory="os/linux/audit" OR _sourceCategory="windows/sysmon" OR _sourceCategory="endpoint/*")
| where (%"event.code" IN ("1", "11") OR type = "OPEN")
| where (
    (%"file.name" matches /(?i)\.(pem|pfx|p12|ppk|pgp|gpg|asc|key|crt|cer|p7b)$/
      OR %"file.name" IN ("id_rsa", "id_ecdsa", "id_ed25519", "id_dsa")
      OR %"winlog.event_data.TargetFilename" matches /(?i)\.(pem|pfx|p12|ppk|pgp|gpg|asc|key|crt|cer)$/
      OR name matches /(?i)(id_rsa|id_ecdsa|id_ed25519|\.pem|\.pfx|\.p12|\.ppk|\.key)$/)
    AND !(comm IN ("ssh", "scp", "sftp", "openssl", "gpg", "curl", "nginx", "apache2", "httpd", "certbot")
      OR %"process.name" IN ("ssh", "scp", "sftp", "openssl", "gpg", "putty", "backup"))
  )
  OR (
    (%"process.command_line" matches /(?i)\.(pem|pfx|p12|ppk|pgp|gpg|asc|key)/
      OR %"winlog.event_data.CommandLine" matches /(?i)\.(pem|pfx|p12|ppk|id_rsa|id_ecdsa)/)
    AND (%"process.command_line" matches /(?i)(find |locate |Get-ChildItem|dir \/s|findstr|mimikatz)/
      OR %"winlog.event_data.CommandLine" matches /(?i)(find |locate |Get-ChildItem|dir \/s|findstr|mimikatz)/)
  )
| eval alert_type = if(%"winlog.event_data.TargetFilename" matches /.*/, "WinKeyAccess",
    if(type = "OPEN", "LinuxKeyAccess", "KeySearch"))
| eval host_field = if(!isNull(%"host.name"), %"host.name", host)
| eval user_field = if(!isNull(%"winlog.event_data.User"), %"winlog.event_data.User",
    if(!isNull(auid), auid, username))
| table _time, host_field, user_field, alert_type, %"process.name", %"process.command_line",
    %"winlog.event_data.TargetFilename", name, comm
| sort by _time desc
high severity medium confidence

Detects private key file access and search operations across Windows (Sysmon) and Linux (auditd) via Sumo Logic. Identifies both direct file access to certificate/key material and process-level search commands targeting key extensions, with exclusions for known-legitimate processes.

Data Sources

Sumo Logic Installed Collector (Sysmon)Sumo Logic Installed Collector (auditd)Sumo Logic Cloud-to-Cloud (Endpoint)

Required Tables

os/linux/auditwindows/sysmonendpoint/*

False Positives & Tuning

  • Automated certificate lifecycle management tools (Venafi, DigiCert) performing scheduled discovery scans of deployed certificates
  • System administrators using find or ls commands to audit SSH key distribution across managed hosts
  • Container orchestration systems (Kubernetes, Docker) mounting and reading TLS secrets during pod initialization
Download portable Sigma rule (.yml)

Other platforms for T1552.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Find SSH Private Keys on Linux

    Expected signal: Linux auditd EXECVE records for find with id_rsa and .pem patterns. Multiple OPEN syscalls for each found key file. Process chain visible in auditd.

  2. Test 2Copy SSH Private Key for Exfiltration

    Expected signal: Linux auditd: OPEN for ~/.ssh/id_rsa (read) and /tmp/stolen_key (write). EXECVE for cp and cat commands. File creation event for /tmp/stolen_key.

  3. Test 3Export Windows Certificate with Private Key via certutil

    Expected signal: Sysmon Event ID 1: certutil.exe with -exportPFX, -p (password), and output file path. Sysmon Event ID 11: .pfx file created in C:\Windows\Temp. Windows Security Event 4657 if certificate store auditing enabled.

  4. Test 4Search for Private Keys with PowerShell

    Expected signal: Sysmon Event ID 1: powershell.exe with Get-ChildItem, *.pem, *.pfx, *.ppk patterns. PowerShell ScriptBlock Log Event ID 4104. Multiple file access events for any found key files.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1552.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1552Unsecured Credentials

Related Sub-techniques

T1552.001Credentials In FilesT1552.002Credentials in RegistryT1552.003Bash HistoryT1552.005Cloud Instance Metadata APIT1552.006Group Policy PreferencesT1552.007Container APIT1552.008Chat Messages

Related Techniques

T1552Unsecured CredentialsT1552.001Credentials In FilesT1021.004SSHT1553.004Install Root CertificateT1587.003Digital CertificatesT1588.004Digital CertificatesT1553.002Code Signing

Same Tactic: Credential Access

Popular Detections