100 Days of YARA – Day 47: Private Keys

Scanning for private keys can reveal information leaks and breaches. Often, the management of keys isn’t prioritized or executed properly, leading to situations where it is difficult to differentiate between keys belonging to an attacker and ones belonging to the victim.

Unaccounted for keys discovered on systems may warrant an investigation.

Here are a few rules to find private key material.

rule private_key
{
	meta:
		description = "Private key"

	strings:
		$ = "BEGIN PRIVATE KEY" ascii wide

	condition:
		all of them
}

rule private_rsa_key
{
	meta:
		description = "RSA private key"

	strings:
		$ = "BEGIN RSA PRIVATE KEY" ascii wide

	condition:
		all of them
}

rule openssh_private_key
{
	meta:
		description = "OpenSSH private key"

	strings:
		$ = "BEGIN OPENSSH PRIVATE KEY"

	condition:
		all of them
}

YARA Rules Index

One thought on “100 Days of YARA – Day 47: Private Keys

  1. Pingback: Week 06 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s