Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.
Adversaries may also look in common key directories, such as
~/.ssh for SSH keys on * nix-based systems or
C:\Users\(username)\.ssh\ on Windows. These private keys can be used to authenticate to Remote Services like SSH or for use in decrypting other collected files such as email.
Ensure only authorized keys are allowed access to critical resources and audit access lists regularly.
|M1041||Encrypt Sensitive Information||
When possible, store keys on separate cryptographic hardware instead of on the local system.
Use strong passphrases for private keys to make cracking difficult.
|M1022||Restrict File and Directory Permissions||
Ensure permissions are properly set on folders containing sensitive private keys to prevent unintended access.
|ID||Data Source||Data Component|
Monitor access to files and directories related to cryptographic keys and certificates as a means for potentially detecting access patterns that may indicate collection and exfiltration activity. Collect authentication logs and look for potentially abnormal activity that may indicate improper use of keys or certificates for remote authentication.