/
proc_creation_win_susp_private_keys_recon.yml
49 lines (49 loc) · 1.52 KB
/
proc_creation_win_susp_private_keys_recon.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
title: Private Keys Reconnaissance Via CommandLine Tools
id: 213d6a77-3d55-4ce8-ba74-fcfef741974e
status: test
description: Adversaries may search for private key certificate files on compromised systems for insecurely stored credential
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.004/T1552.004.md
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021/07/20
modified: 2023/03/06
tags:
- attack.credential_access
- attack.t1552.004
logsource:
category: process_creation
product: windows
detection:
selection_cmd_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cmd_cli:
CommandLine|contains: 'dir '
selection_pwsh_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_pwsh_cli:
CommandLine|contains: 'Get-ChildItem '
selection_findstr:
- Image|endswith: '\findstr.exe'
- OriginalFileName: 'FINDSTR.EXE'
selection_ext:
CommandLine|contains:
- '.key'
- '.pgp'
- '.gpg'
- '.ppk'
- '.p12'
- '.pem'
- '.pfx'
- '.cer'
- '.p7b'
- '.asc'
condition: selection_ext and (all of selection_cmd_* or all of selection_pwsh_* or selection_findstr)
falsepositives:
- Unknown
level: medium