1. Home
  2. Detection Strategies
  3. Detect Suspicious Access to Private Key Files and Export Attempts Across Platforms

Detect Suspicious Access to Private Key Files and Export Attempts Across Platforms

Technique Detected:  Private Keys | T1552.004

ID: DET0549
Domains: Enterprise
Analytics: AN1516, AN1517, AN1518, AN1519
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1516

A process (non-system or user-initiated) accesses private key files in user profile paths or system certificate stores followed by potential network connections or compression activity.

Log Sources
Data Component Name Channel
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Network Share Access (DC0102) WinEventLog:Security EventCode=5145
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
FilePathRegex Regex for matching key file extensions (.pem, .pfx, .ppk, etc.) or known certificate directories like C:\Users\*\.ssh\
ParentProcessName Set of known benign certificate management tools to exclude (e.g., certutil.exe, ssh.exe)

AN1517

User or script-based access to ~/.ssh or other directories containing private keys followed by unusual shell activity or network connections.

Log Sources
Data Component Name Channel
File Access (DC0055) auditd:SYSCALL openat
Process Creation (DC0032) auditd:EXECVE execve
Mutable Elements
Field Description
FilePathRegex Directory/file path regex for ~/.ssh, *.pem, *.key, *.p12
CommandLineMatch Script or user agent seen accessing keys (e.g., cat ~/.ssh/id_rsa, tar ~/.gnupg)

AN1518

Access to user private key directories (e.g., /Users/*/.ssh) via Terminal, scripting engines, or non-default processes.

Log Sources
Data Component Name Channel
File Access (DC0055) macos:unifiedlog open/read access to private key files (id_rsa, *.pem, *.p12)
Process Creation (DC0032) macos:unifiedlog launch of bash/zsh/python/osascript targeting key file locations
Mutable Elements
Field Description
ProcessName Processes reading key files (osascript, python, bash, etc.)
FileAccessPath Private key and certificate paths like /Users/*/.ssh, /Library/Keychains/

AN1519

CLI-based export of private key material (e.g., 'crypto pki export') with anomalous user session or AAA role escalation.

Log Sources
Data Component Name Channel
Command Execution (DC0064) networkdevice:syslog Detected CLI command to export key material
Mutable Elements
Field Description
CLICommandMatch Regex for export commands (e.g., crypto pki export, export ssh-key)
AAAUserContext Source username or role performing export — may tune for known admins