{'created': '2017-12-14T16:46:06.044Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Private cryptographic keys and certificates are used for '
                'authentication, encryption/decryption, and digital '
                'signatures. (Citation: Wikipedia Public Key Crypto)\n'
                '\n'
                'Adversaries may gather private keys from compromised systems '
                'for use in authenticating to [Remote '
                'Services](https://attack.mitre.org/techniques/T1021) like SSH '
                'or for use in decrypting other collected files such as email. '
                'Common key and certificate file extensions include: .key, '
                '.pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. '
                'Adversaries may also look in common key directories, such as '
                '<code>~/.ssh</code> for SSH keys on * nix-based systems or '
                '<code>C:\\Users\\(username)\\.ssh\\</code> on Windows.\n'
                '\n'
                'Private keys should require a password or passphrase for '
                'operation, so an adversary may also use [Input '
                'Capture](https://attack.mitre.org/techniques/T1056) for '
                'keylogging or attempt to [Brute '
                'Force](https://attack.mitre.org/techniques/T1110) the '
                'passphrase off-line.\n'
                '\n'
                'Adversary tools have been discovered that search compromised '
                'systems for file extensions relating to cryptographic keys '
                'and certificates. (Citation: Kaspersky Careto) (Citation: '
                'Palo Alto Prince of Persia)',
 'external_references': [{'external_id': 'T1145',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1145'},
                         {'description': 'Wikipedia. (2017, June 29). '
                                         'Public-key cryptography. Retrieved '
                                         'July 5, 2017.',
                          'source_name': 'Wikipedia Public Key Crypto',
                          'url': 'https://en.wikipedia.org/wiki/Public-key_cryptography'},
                         {'description': 'Kaspersky Labs. (2014, February 11). '
                                         'Unveiling “Careto” - The Masked APT. '
                                         'Retrieved July 5, 2017.',
                          'source_name': 'Kaspersky Careto',
                          'url': 'https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf'},
                         {'description': 'Bar, T., Conant, S., Efraim, L. '
                                         '(2016, June 28). Prince of Persia – '
                                         'Game Over. Retrieved July 5, 2017.',
                          'source_name': 'Palo Alto Prince of Persia',
                          'url': 'https://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/'}],
 'id': 'attack-pattern--56ff457d-5e39-492b-974c-dfd2b8603ffe',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'credential-access'}],
 'modified': '2025-10-24T17:48:49.203Z',
 'name': 'Private Keys',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': True,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Itzik Kotler, SafeBreach'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
 'x_mitre_version': '1.1'}