100 Days of YARA – Day 47: Private Keys

Scanning for private keys can reveal information leaks and breaches. Often, the management of keys isn’t prioritized or executed properly, leading to situations where it is difficult to differentiate between keys belonging to an attacker and ones belonging to the victim.

Unaccounted for keys discovered on systems may warrant an investigation.

Here are a few rules to find private key material.

rule private_key
{
	meta:
		description = "Private key"

	strings:
		$ = "BEGIN PRIVATE KEY" ascii wide

	condition:
		all of them
}

rule private_rsa_key
{
	meta:
		description = "RSA private key"

	strings:
		$ = "BEGIN RSA PRIVATE KEY" ascii wide

	condition:
		all of them
}

rule openssh_private_key
{
	meta:
		description = "OpenSSH private key"

	strings:
		$ = "BEGIN OPENSSH PRIVATE KEY"

	condition:
		all of them
}

YARA Rules Index

One thought on “100 Days of YARA – Day 47: Private Keys”

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

Share this:

Like this:

One thought on “100 Days of YARA – Day 47: Private Keys”

Leave a Reply Cancel reply