Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0549: Detect Suspicious Access to Private Key Files and Export Attempts Across Platforms

DET0549 is about finding suspicious access to private key files and attempts to export them. The business risk is that private keys often function like hig...

EnterpriseDET0549Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0549 is about finding suspicious access to private key files and attempts to export them. The business risk is that private keys often function like high-value credentials: if they are copied from endpoints, servers, or network devices, an attacker may be able to authenticate, decrypt data, or sign activity as a trusted entity. Even though this ATT&CK detection strategy has no official description or detection logic supplied, its relationship to T1552.004 Private Keys makes it important for credential-access monitoring and incident response readiness.

Executive priority

Security leaders should treat private key visibility as an identity and resilience control issue, not only a file-monitoring problem. Ask whether the organization knows where private keys are stored, who is allowed to access or export them, and whether SOC and IR teams can prove when key material was read, copied, or exported. This also supports audit evidence for access control and credential protection, especially on Linux, macOS, Windows, and network device environments associated with the related ATT&CK technique.

Technical view

SOC and detection engineering teams should validate monitoring around access to common private key and certificate file types and locations identified in the related technique, including extensions such as .key, .pgp, .gpg, .ppk, .p12, .pem, .pfx, .cer, .p7b, and .asc, and common directories such as ~/.ssh where applicable. Because the official DET0549 object does not provide detection analytics, teams should build environment-specific baselines for legitimate administrative, automation, certificate-management, backup, and deployment activity, then alert on unusual users, processes, hosts, destinations, or export/copy patterns.

Likely telemetry

  • Endpoint file access audit events for private key and certificate paths or extensions
  • Process execution and command-line telemetry associated with file discovery, copy, archive, or export behavior
  • EDR or host audit logs showing reads, permission changes, compression, staging, or transfer of key files
  • Authentication, certificate, or key-management logs where private key export events are recorded
  • Network device configuration and administrative logs where key material may be stored or exported

Detection direction

  • Confirm that telemetry exists before writing detections; this ATT&CK object supplies no official detection text.
  • Prioritize monitoring of known key locations, sensitive extensions, and export-capable workflows, then tune against approved certificate management, SSH administration, software deployment, backup, and automation jobs.
  • Correlate suspicious key access with credential-access context: unusual account, new host, abnormal process ancestry, bulk file enumeration, archive creation, or transfer shortly after access.
  • Avoid relying only on file extension matching; private keys may be renamed, stored without standard extensions, or embedded in configuration files.
  • For network devices, validate whether administrative logging can show configuration export or key material access; coverage may differ significantly from endpoint telemetry.

Mitigation priorities

  • Inventory where private keys are stored and which systems, users, and automation accounts legitimately need access.
  • Restrict filesystem, device, and administrative permissions for private key locations using least privilege.
  • Use controlled key and certificate management processes where available, including approval and logging for export actions.
  • Encrypt or protect private key material at rest where supported by the environment and operational requirements.
  • Establish IR playbooks for suspected key exposure, including containment, key revocation or rotation decisions, and validation of dependent services.
Analyst notes and limits

This take is based on the detection strategy name, external reference DET0549, and its relationship to ATT&CK technique T1552.004 Private Keys. The related technique places the behavior under credential access and lists Linux, macOS, Network Devices, and Windows as relevant platforms. The official DET0549 fields supplied here do not include a description, detection logic, tactics, or platforms, so local engineering decisions must be based on asset inventory, key storage practices, and available logging.

No official detection analytic, data source list, mitigation mapping, or platform list was provided for DET0549 itself. Recommendations are therefore directional and derived from the related Private Keys technique and the detection strategy name. Actual detection quality depends on local endpoint, server, network device, and key-management telemetry.

Official MITRE ATT&CK definition

Detect Suspicious Access to Private Key Files and Export Attempts Across Platforms

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1552.004 Private Keys Sub-technique This object detects Private Keys.
Relationship explorer

All related ATT&CK context

detects · Technique T1552.004: Private Keys Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
ab92e0f340eac50e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle ab92e0f340ea…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0549
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use