turbot/tailpipe-mod-aws-cloudtrail-log-detections

Benchmark: T1552.004 Unsecured Credentials: Private Keys

Overview

Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.

Adversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\ on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.

When a device is registered to Entra ID, a device key and a transport key are generated and used to verify the device’s identity. An adversary with access to the device may be able to export the keys in order to impersonate the device.

On network devices, private keys may be exported via Network Device CLI commands such as crypto pki export.

Some private keys require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line. These private keys can be used to authenticate to Remote Services like SSH or for use in decrypting other collected files such as email.

Usage

Install the mod:

mkdir dashboards
cd dashboards
powerpipe mod init
powerpipe mod install github.com/turbot/tailpipe-mod-aws-cloudtrail-log-detections

Start the Powerpipe server:

powerpipe server

Open http://localhost:9033 in your browser and select T1552.004 Unsecured Credentials: Private Keys.

Run this benchmark in your terminal:

powerpipe benchmark run aws_cloudtrail_log_detections.benchmark.mitre_attack_v161_ta0006_t1552_004

Snapshot and share results via Turbot Pipes:

powerpipe benchmark run aws_cloudtrail_log_detections.benchmark.mitre_attack_v161_ta0006_t1552_004 --share

Detections

Tags