1. Home
  2. Techniques
  3. Enterprise
  4. Unsecured Credentials
  5. Private Keys

Unsecured Credentials: Private Keys

ID Name
T1552.001 Credentials In Files
T1552.002 Credentials in Registry
T1552.003 Shell History
T1552.004 Private Keys
T1552.005 Cloud Instance Metadata API
T1552.006 Group Policy Preferences
T1552.007 Container API
T1552.008 Chat Messages

Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.[1] Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.

Adversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\ on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.[2][3]

When a device is registered to Entra ID, a device key and a transport key are generated and used to verify the device’s identity.[4] An adversary with access to the device may be able to export the keys in order to impersonate the device.[5]

On network devices, private keys may be exported via Network Device CLI commands such as crypto pki export.[6]

Some private keys require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line. These private keys can be used to authenticate to Remote Services like SSH or for use in decrypting other collected files such as email.

ID: T1552.004
Sub-technique of:  T1552
Tactic: Credential Access
Platforms: Linux, Network Devices, Windows, macOS
Contributors: Austin Clark, @c2defense; Itzik Kotler, SafeBreach
Version: 1.3
Created: 04 February 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0677 AADInternals

AADInternals can gather encryption keys from Azure AD services such as ADSync and Active Directory Federated Services servers.[7]
S0377 Ebury

Ebury has intercepted unencrypted private keys as well as private key pass-phrases.[8]

S0363 Empire

Empire can use modules like Invoke-SessionGopher to extract private key and session information.[9]
S0661 FoggyWeb

FoggyWeb can retrieve token signing certificates and token decryption certificates from a compromised AD FS server.[10]
S0601 Hildegard

Hildegard has searched for private keys in .ssh.[11]
S0283 jRAT

jRAT can steal keys for VPNs and cryptocurrency wallets.[12]
S0599 Kinsing

Kinsing has searched for private keys.[13]
S0409 Machete

Machete has scanned and looked for cryptographic keys and certificate file extensions.[14]

S1060 Mafalda

Mafalda can collect a Chrome encryption key used to protect browser cookies.[15]
S0002 Mimikatz

Mimikatz's CRYPTO::Extract module can extract keys by interacting with Windows cryptographic application programming interface (API) functions.[16]
C0014 Operation Wocao

During Operation Wocao, threat actors used Mimikatz to dump certificates and private keys from the Windows certificate store.[17]
G0106 Rocke

Rocke has used SSH private keys on the infected machine to spread its coinminer throughout a network.[18]
G1015 Scattered Spider

Scattered Spider enumerate and exfiltrate code-signing certificates from a compromised host.[19]
C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 obtained PKI keys, certificate files, and the private encryption key from an Active Directory Federation Services (AD FS) container to decrypt corresponding SAML signing certificates.[20][21]
G1053 Storm-0501

Storm-0501 has leveraged the Azure Owner role to access and steal the Storage Account Access keys using the Microsoft.Storage/storageAccounts/listkeys/action operation.[22]
G0139 TeamTNT

TeamTNT has searched for unsecured SSH keys.[23][24]
S1196 Troll Stealer

Troll Stealer collects all data in victim .ssh folders by creating a compressed copy that is subsequently exfiltrated to command and control infrastructure. Troll Stealer also collects key information associated with the Government Public Key Infrastructure (GPKI) service for South Korean government information systems.[25][26]
G1017 Volt Typhoon

Volt Typhoon has accessed a Local State file that contains the AES key used to encrypt passwords stored in the Chrome browser.[27]

Mitigations

ID Mitigation Description
M1047 Audit

Ensure only authorized keys are allowed access to critical resources and audit access lists regularly.
M1041 Encrypt Sensitive Information

When possible, store keys on separate cryptographic hardware instead of on the local system. For example, on Windows systems use a TPM to secure keys and other sensitive credential material.[4]
M1027 Password Policies

Use strong passphrases for private keys to make cracking difficult.
M1022 Restrict File and Directory Permissions

Ensure permissions are properly set on folders containing sensitive private keys to prevent unintended access. Additionally, on Cisco devices, set the nonexportable flag during RSA key pair generation.[6]

Detection Strategy

ID Name Analytic ID Analytic Description
DET0549 Detect Suspicious Access to Private Key Files and Export Attempts Across Platforms AN1516

A process (non-system or user-initiated) accesses private key files in user profile paths or system certificate stores followed by potential network connections or compression activity.
AN1517

User or script-based access to ~/.ssh or other directories containing private keys followed by unusual shell activity or network connections.
AN1518

Access to user private key directories (e.g., /Users/*/.ssh) via Terminal, scripting engines, or non-default processes.
AN1519

CLI-based export of private key material (e.g., 'crypto pki export') with anomalous user session or AAA role escalation.

References

  1. Wikipedia. (2017, June 29). Public-key cryptography. Retrieved July 5, 2017.
  2. Kaspersky Labs. (2014, February 11). Unveiling “Careto” - The Masked APT. Retrieved July 5, 2017.
  3. Bar, T., Conant, S., Efraim, L. (2016, June 28). Prince of Persia – Game Over. Retrieved July 5, 2017.
  4. Microsoft. (2022, September 9). What is a Primary Refresh Token?. Retrieved February 21, 2023.
  5. Dr. Nestori Syynimaa. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved February 21, 2023.
  6. Cisco. (2023, February 17). Chapter: Deploying RSA Keys Within a PKI . Retrieved March 27, 2023.
  7. Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022.
  8. M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.
  9. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  10. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
  11. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  12. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  13. Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021.
  14. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  1. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
  2. Metcalf, S. (2015, November 13). Unofficial Guide to Mimikatz & Command Reference. Retrieved December 23, 2015.
  3. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  4. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
  5. CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.
  6. Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021.
  7. NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.
  8. Microsoft Threat Intelligence. (2025, August 27). Storm-0501’s evolving techniques lead to cloud-based ransomware. Retrieved October 19, 2025.
  9. Cado Security. (2020, August 16). Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021.
  10. Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.
  11. Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025.
  12. Symantec Threat Hunter Team. (2024, May 16). Springtail: New Linux Backdoor Added to Toolkit. Retrieved January 17, 2025.
  13. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.