Unsecured Credentials: Закрытые ключи
Other sub-techniques of Unsecured Credentials (8)
Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.
Adversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\ on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)
When a device is registered to Entra ID, a device key and a transport key are generated and used to verify the device’s identity.(Citation: Microsoft Primary Refresh Token) An adversary with access to the device may be able to export the keys in order to impersonate the device.(Citation: AADInternals Azure AD Device Identities)
On network devices, private keys may be exported via Network Device CLI commands such as `crypto pki export`.(Citation: cisco_deploy_rsa_keys)
Some private keys require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line. These private keys can be used to authenticate to Remote Services like SSH or for use in decrypting other collected files such as email.
Примеры процедур |
|
| Название | Описание |
|---|---|
| Machete |
Machete has scanned and looked for cryptographic keys and certificate file extensions.(Citation: ESET Machete July 2019) |
| Mimikatz |
Mimikatz's |
|
During Operation Wocao, threat actors used Mimikatz to dump certificates and private keys from the Windows certificate store.(Citation: FoxIT Wocao December 2019) |
|
| Kinsing |
Kinsing has searched for private keys.(Citation: Aqua Kinsing April 2020) |
| Hildegard |
Hildegard has searched for private keys in .ssh.(Citation: Unit 42 Hildegard Malware) |
| Mafalda |
Mafalda can collect a Chrome encryption key used to protect browser cookies.(Citation: SentinelLabs Metador Sept 2022) |
| Scattered Spider |
Scattered Spider enumerate and exfiltrate code-signing certificates from a compromised host.(Citation: CISA Scattered Spider Advisory November 2023) |
|
During the SolarWinds Compromise, APT29 obtained PKI keys, certificate files, and the private encryption key from an Active Directory Federation Services (AD FS) container to decrypt corresponding SAML signing certificates.(Citation: Microsoft 365 Defender Solorigate)(Citation: Cybersecurity Advisory SVR TTP May 2021) |
|
| FoggyWeb |
FoggyWeb can retrieve token signing certificates and token decryption certificates from a compromised AD FS server.(Citation: MSTIC FoggyWeb September 2021) |
| TeamTNT |
TeamTNT has searched for unsecured SSH keys.(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Trend Micro TeamTNT) |
| UNC2452 |
UNC2452 obtained the private encryption key from an Active Directory Federation Services (AD FS) container to decrypt corresponding SAML signing certificates.(Citation: Microsoft 365 Defender Solorigate) |
| Operation Wocao |
Operation Wocao has used Mimikatz to dump certificates and private keys from the Windows certificate store.(Citation: FoxIT Wocao December 2019) |
| Empire |
Empire can use modules like |
| APT29 |
APT29 obtained PKI keys, certificate files and the private encryption key from an Active Directory Federation Services (AD FS) container to decrypt corresponding SAML signing certificates.(Citation: Microsoft 365 Defender Solorigate)(Citation: Cybersecurity Advisory SVR TTP May 2021) |
| AADInternals |
AADInternals can gather encryption keys from Azure AD services such as ADSync and Active Directory Federated Services servers.(Citation: AADInternals Documentation) |
| Rocke |
Rocke has used SSH private keys on the infected machine to spread its coinminer throughout a network.(Citation: Anomali Rocke March 2019) |
| Ebury |
Ebury has intercepted unencrypted private keys as well as private key pass-phrases.(Citation: ESET Ebury Feb 2014) |
| Volt Typhoon |
Volt Typhoon has accessed a Local State file that contains the AES key used to encrypt passwords stored in the Chrome browser.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
| jRAT |
jRAT can steal keys for VPNs and cryptocurrency wallets.(Citation: Kaspersky Adwind Feb 2016) |
Контрмеры |
|
| Контрмера | Описание |
|---|---|
| Password Policies |
Set and enforce secure password policies for accounts. |
| Restrict File and Directory Permissions |
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts. |
| Private Keys Mitigation |
Use strong passphrases for private keys to make cracking difficult. When possible, store keys on separate cryptographic hardware instead of on the local system. Ensure only authorized keys are allowed access to critical resources and audit access lists regularly. Ensure permissions are properly set on folders containing sensitive private keys to prevent unintended access. Use separate infrastructure for managing critical systems to prevent overlap of credentials and permissions on systems that could be used as vectors for lateral movement. Follow other best practices for mitigating access through use of Valid Accounts. |
| Audit |
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. |
| Encrypt Sensitive Information |
Protect sensitive information with strong encryption. |
Обнаружение
Monitor access to files and directories related to cryptographic keys and certificates as a means for potentially detecting access patterns that may indicate collection and exfiltration activity. Collect authentication logs and look for potentially abnormal activity that may indicate improper use of keys or certificates for remote authentication. For network infrastructure devices, collect AAA logging to monitor for private keys being exported.
Ссылки
- Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.
- Wikipedia. (2017, June 29). Public-key cryptography. Retrieved July 5, 2017.
- Microsoft. (2022, September 9). What is a Primary Refresh Token?. Retrieved February 21, 2023.
- Kaspersky Labs. (2014, February 11). Unveiling “Careto” - The Masked APT. Retrieved July 5, 2017.
- Dr. Nestori Syynimaa. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved February 21, 2023.
- Cisco. (2023, February 17). Chapter: Deploying RSA Keys Within a PKI . Retrieved March 27, 2023.
- Bar, T., Conant, S., Efraim, L. (2016, June 28). Prince of Persia – Game Over. Retrieved July 5, 2017.
- ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
- Metcalf, S. (2015, November 13). Unofficial Guide to Mimikatz & Command Reference. Retrieved December 23, 2015.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021.
- Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
- Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
- CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.
- Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
- Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.
- Cado Security. (2020, August 16). Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022.
- Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
- M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.
- CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
- Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.