title: Private Keys (T1552.004)
id: df00tech-t1552-004
status: experimental
description: "Adversaries may search for private key and certificate files on compromised systems. Private keys (.key, .pem, .pfx, .p12, .ppk, .pgp, .gpg, .asc) are used for authentication, encryption, and digital signatures. SSH private keys enable key-based lateral movement. TLS/SSL private keys enable HTTPS interception. Code signing certificates enable payload signing for defense evasion. PGP keys decrypt archived data. Adversaries including Machete, Kinsing, Hildegard, Mafalda, and various APT groups actively harvest private keys. Mimikatz's CRYPTO::Extract module extracts keys via Windows CNG API. On network devices, 'crypto pki export' extracts PKI credentials."
references:
  - https://attack.mitre.org/techniques/T1552/004/
  - https://df00tech.com/detections/T1552.004
author: df00tech
date: 2026/04/13
tags:
  - attack.t1552.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "SSH and SCP clients legitimately reading their own private key files for authentication (ssh -i, scp -i)"
  - "Web servers and applications reading their own TLS certificate private keys on startup (Apache, Nginx, IIS)"
  - "Certificate management tools (certbot, Let's Encrypt clients) managing certificate lifecycle"
  - Backup agents reading certificate directories as part of full system backup
  - Key management systems and HSM integration software reading and rotating keys
level: high