detection.wiki

ATT&CK coverage › Technique

Unsecured Credentials: Private Keys T1552.004

Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.

Events covered

6 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon11FileCreate
Security-Auditing4662An operation was performed on an object.
Security-Auditing4688A new process has been created.
CertificateServicesClient-Lifecycle-System1007A certificate has been exported.
PowerShell4104Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 10 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (7 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine3match 3Export-Certificate , Export-PfxCertificate , Get-Process lsas, ps lsas, gps lsas
ScriptBlockText3eq 2, match 1CmdletsToExport = @(, Export-PfxCertificate, Export-Certificate, "*export-certificate*", "*export-pfxcertificate*"
EventID3eq 34104, 1007
Properties1match 1b7ff5a38-0818-42b0-8110-d3d154c97f24, 612cb747-c0e8-4f92-9221-fdd5f15b550d, b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7
TargetFilename1ends_with 1, match 1.cer, ntds_capi_, ntds_legacy_
Image1ends_with 1\findstr.exe, \powershell.exe, \cmd.exe
OriginalFileName1eq 1PowerShell.EXE, FINDSTR.EXE, Cmd.Exe

Top indicator values (43 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
EventIDeq41042108
Propertiesmatch612cb747-c0e8-4f92-9221-fdd5f15b550d1
Propertiesmatchb7ff5a38-0818-42b0-8110-d3d154c97f241
Propertiesmatchb3f93023-9239-4f7c-b99c-6745d87adbc21
Propertiesmatchb8dfa744-31dc-4ef1-ac7c-84baf7ef9da71
CommandLinematchExport-Certificate 1
CommandLinematchExport-PfxCertificate 1
ScriptBlockTextmatchCmdletsToExport = @(1
ScriptBlockTextmatchExport-Certificate1
ScriptBlockTextmatchExport-PfxCertificate1
TargetFilenamematchntds_capi_1
TargetFilenameends_with.cer12
TargetFilenamematchntds_legacy_1
TargetFilenameends_with.key12
TargetFilenamematchntds_unknown_1
TargetFilenameends_with.pfx1
TargetFilenameends_with.pvk1
CommandLinematchGet-Process lsas1
CommandLinematchps lsas1
CommandLinematchgps lsas1

Common exclusions (3 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

FieldKindValueRules excluding
AccessMaskin0x01
SubjectUserSideqS-1-5-181
AccessMaskin0x1001

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 5 rules

Elastic 1 rule

Splunk 3 rules

Kusto Query Language 1 rule