Private Keys

Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. Common key certificate file extensions include: .key, .pgp, .gpg, .ppk, .p21, .pem, .pfx, .cer, .p7b, .asc.

Adversaries may also look commonly key directories, such as ~/.shh for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\ on Windows. These private keys can be used to authenticate to Remote Services like SSH or for use in decrypting other collected files such as email.

Adversary tools have been discovered that search compromised systems for file extensions relating to cryptographic keys and certificates.

Some private keys require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line.

Example

Even though its uncommon but not impossible there are Windows SSH Server's that allow users to SSH onto their machines. An example of this is BitVise an SSH Server for Windows machines

Scanning our machine gives us an SSH info for Windows

Some places to search and extensions for are the ones mentioned above or common to SSH we can find our ssh keys in the Windows Folder .ssh

To use your SSH keys, copy your public SSH key to the system you want to connect to. Use your private SSH key on your own system. Your private key will match up with the public key, and grant access.

PreviousGroup Policy Preferences NextCredentials in Registry

Last updated 3 years ago