The sub-techniques beta is now live! Read the release blog post for more info.

Private Keys

Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. [1]

Adversaries may gather private keys from compromised systems for use in authenticating to Remote Services like SSH or for use in decrypting other collected files such as email. Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. Adversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users(username).ssh\ on Windows.

Private keys should require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line.

Adversary tools have been discovered that search compromised systems for file extensions relating to cryptographic keys and certificates. [2] [3]

ID: T1145
Tactic: Credential Access
Platform: Linux, macOS, Windows
Permissions Required: User
Data Sources: File monitoring
Contributors: Itzik Kotler, SafeBreach
Version: 1.0
Created: 14 December 2017
Last Modified: 18 July 2019

Procedure Examples

Name Description

Ebury has intercepted unencrypted private keys as well as private key pass-phrases. [6]


Empire can use modules like Invoke-SessionGopher to extract private key and session information.[5]


jRAT can steal keys for VPNs and cryptocurrency wallets.[7]


Machete has scanned and looked for cryptographic keys and certificate file extensions. [8]


Mimikatz's CRYPTO::Extract module can extract keys by interacting with Windows cryptographic application programming interface (API) functions.[4]


Mitigation Description

Ensure only authorized keys are allowed access to critical resources and audit access lists regularly.

Encrypt Sensitive Information

When possible, store keys on separate cryptographic hardware instead of on the local system.

Network Segmentation

Use separate infrastructure for managing critical systems to prevent overlap of credentials and permissions on systems that could be used as vectors for lateral movement.

Password Policies

Use strong passphrases for private keys to make cracking difficult.

Restrict File and Directory Permissions

Ensure permissions are properly set on folders containing sensitive private keys to prevent unintended access.


Monitor access to files and directories related to cryptographic keys and certificates as a means for potentially detecting access patterns that may indicate collection and exfiltration activity. Collect authentication logs and look for potentially abnormal activity that may indicate improper use of keys or certificates for remote authentication.