Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. (Citation: Wikipedia Public Key Crypto) Adversaries may gather private keys from compromised systems for use in authenticating to [Remote Services](https://attack.mitre.org/techniques/T1021) like SSH or for use in decrypting other collected files such as email. Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. Adversaries may also look in common key directories, such as~/.sshfor SSH keys on * nix-based systems orC:\Users\(username)\.ssh\on Windows. Private keys should require a password or passphrase for operation, so an adversary may also use [Input Capture](https://attack.mitre.org/techniques/T1056) for keylogging or attempt to [Brute Force](https://attack.mitre.org/techniques/T1110) the passphrase off-line. Adversary tools have been discovered that search compromised systems for file extensions relating to cryptographic keys and certificates. (Citation: Kaspersky Careto) (Citation: Palo Alto Prince of Persia)
Private Keys:
find / -type f ( -name ".pem" -o -name ".pgp" -o -name ".gpg" -o -name ".ppk" -o -name ".p12" -o -name ".key" -o -name ".pfx" -o -name ".cer" -o -name ".p7b" -o -name ".asc" -o -name "authorized*" )
look for Users' SSH Private Key: find / -name id_rsa OR find / -name id_dsa
Copy Private SSH Keys with CP: find / -name id_rsa -exec cp --parents {} #{output_folder} ;
find / -name id_dsa -exec cp --parents {} #{output_folder} ;
Copy Private SSH Keys with rsync:
find / -name id_rsa -exec rsync -R {} #{output_folder} ;
find / -name id_dsa -exec rsync -R {} #{output_folder} ;
bash_history logs
index=* sourcetype=bash_history find AND (.pem OR authorized OR gpg OR pgp OR .ppk OR .cer OR .key OR .asc)
index=* sourcetype=bash_history find AND (id_rsa OR id_dsa)