5058 Key file operation
Written when an operation (read, write, delete, etc.) is performed on a cryptographic key file. It captures access to private keys and certificate-associated keys, usable to detect credential theft.
Overview
The subcategory is Audit Other System Events. It is generated when an operation such as read, export, or delete is performed on a key file managed by CNG/CryptoAPI (a file storing a certificate’s private key, DPAPI keys, and so on). It includes the operation type, target key, and executing process.
How it is triggered
- Access to a key container/key file (using a certificate, exporting a private key, deleting a key, and so on).
- The operation type (read/write/delete/export, etc.) is recorded.
Security review points
- Exporting or reading a private key can relate to stealing a certificate’s private key for impersonation or the key that decrypts DPAPI-protected data. Note key-file operations (especially export) by unexpected processes or accounts.
- Together with DPAPI events 4692/4693 and certificate-services events, track access to credentials and key material.
Notes for log review
- It also occurs with legitimate apps and certificate use. Match the operation type (especially export/delete), target key, and process against normal patterns.
- Confirm key-file operations by executables in temp folders or unfamiliar processes at high priority.
Key fields
| Field | Meaning |
|---|---|
Key Name / Key Type | The target key |
Operation | The operation type (read/export/delete, etc.) |
Process Name / Subject | The originating process and account |
Glossary
- Key file — a file storing a certificate’s private key, a DPAPI master key, and so on. If stolen, it is abused for impersonation or decrypting protected data.