Attackers may exfiltrate or exploit private key files to gain unauthorized access to encrypted credentials or systems, as these files grant elevated privileges. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential theft or lateral movement attempts early.
KQL Query
DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName endswith '.pfx' or FileName endswith '.pfn' or FileName endswith '.p12'
id: 2ca01fd3-afb5-4050-8a1d-6b821bdab080
name: Private Key Files
description: |
Private Key Files.
This query identifies file operation with files having.
One of the extensions commonly used to save a private.
Key. The risk is that if an attacker were to obtain.
The file, they could brute force any password on it.
And potentially obtain a powerful certificate. To do.
This, they would only need to obtain read access to.
The file.
The risk associated with these files is heavily.
Determined by the value of the certificate. For example,.
Loss of a self-signed certificate created by Adobe Acrobat.
Is significantly less impactful than loss of a website.
SSL certificate.
Recommendation: Know where these files are, and if possible.
Back them up and remove them. You might also consider.
Creating an informational alert.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
query: |
DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName endswith '.pfx' or FileName endswith '.pfn' or FileName endswith '.p12'
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Developer using SSH key for Git operations
Description: A developer may frequently access .pem or .ppk files to authenticate with Git repositories.
Filter/Exclusion: Exclude file access events where the user is a known developer and the file path contains ~/.ssh/ or is associated with a Git repository.
Scenario: Scheduled job for certificate rotation
Description: A scheduled task may access private key files to renew or rotate SSL/TLS certificates using tools like certbot or openssl.
Filter/Exclusion: Exclude file operations where the process name is certbot, openssl, or certutil, and the file path is in a known certificate directory (e.g., /etc/ssl/certs/).
Scenario: System backup process accessing private keys
Description: During a system backup, backup tools like rsync, tar, or Veeam may include private key files in the backup archive.
Filter/Exclusion: Exclude file operations where the process is a backup tool and the file path matches a known backup directory (e.g., /backup/, /var/backups/).
Scenario: Admin using PuTTY for remote access
Description: An administrator may use PuTTY or similar tools to connect to remote servers, which requires access to .ppk private key files.
Filter/Exclusion: Exclude file access events where the process is putty.exe or puttygen, and the user is a known admin with elevated privileges.
Scenario: PKI management tool handling private keys
Description: Tools like OpenSC, PKI Manager, or KeyStore Explorer may access private key files for certificate management.
Filter/Exclusion: Exclude file operations where the process name matches the