heroui logo

Linux Auditd Private Keys and Certificate Enumeration

Splunk Security Content

View Source
Summary
The Linux Auditd Private Keys and Certificate Enumeration analytic is designed to detect unauthorized attempts to access sensitive private keys within a Linux environment. It leverages Linux Auditd logs to monitor the `execve` syscall for commands that could indicate the presence of malicious search activities targeting cryptographic materials such as .pem, .cer, .crt, .pgp, .key, .gpg, .ppk, .p12, .pfx, and .p7b files. The rule recognizes that these private keys are vital to maintaining encrypted communications and data confidentiality, and any unauthorized access could facilitate data breaches or identity theft. By capturing instances where the `find` or `grep` commands are applied on these file types, the analytic provides security teams with critical insights to swiftly act against potential threats, thereby ensuring the security integrity of sensitive cryptographic information.
Categories
  • Linux
  • Endpoint
Data Sources
  • Pod
  • Process
  • File
ATT&CK Techniques
  • T1552.004
  • T1552
Created: 2025-01-15