Ctrl+K

T1555.001 - Keychain

T1555.001 - Keychain#

Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service.

Keychains can be viewed and edited through the Keychain Access application or using the command-line utility security. Keychain files are located in ~/Library/Keychains/, /Library/Keychains/, and /Network/Library/Keychains/.(Citation: Keychain Services Apple)(Citation: Keychain Decryption Passware)(Citation: OSX Keychain Schaumann)

Adversaries may gather user credentials from Keychain storage/memory. For example, the command security dump-keychain –d will dump all Login Keychain credentials from ~/Library/Keychains/login.keychain-db. Adversaries may also directly read Login Keychain credentials from the ~/Library/Keychains/login.keychain file. Both methods require a password, where the default password for the Login Keychain is the current user’s password to login to the macOS host.(Citation: External to DA, the OS X Way)(Citation: Empire Keychain Decrypt)

Atomic Tests#

Atomic Test #1 - Keychain DumpThis command will dump keychain credential information from login.keychain.#

Source: https://www.loobins.io/binaries/security/

Keychain File path#

~/Library/Keychains/ /Library/Keychains/ /Network/Library/Keychains/ Security Reference Supported Platforms: macos Elevation Required (e.g. root or admin)#### Attack Commands: Run with sh

sudo security dump-keychain -d login.keychain```

Invoke-AtomicTest T1555.001 -TestNumbers 1

Atomic Test #2 - Export Certificate Item(s)This command finds all certificate items and sends the output to local file in pem format.#

Supported Platforms: macos Elevation Required (e.g. root or admin)#### Attack Commands: Run with sh

security find-certificate -a -p > /tmp/certs.pem

Invoke-AtomicTest T1555.001 -TestNumbers 2

Cleanup:#

rm /tmp/certs.pem```

Invoke-AtomicTest T1555.001 -TestNumbers 2 -Cleanup

Atomic Test #3 - Import Certificate Item(s) into KeychainThis command will import a certificate pem file into a keychain.#

Supported Platforms: macos Elevation Required (e.g. root or admin)#### Attack Commands: Run with sh

security import /tmp/certs.pem -k

Invoke-AtomicTest T1555.001 -TestNumbers 3

Detection#

Unlocking the keychain and using passwords from it is a very common process, so there is likely to be a lot of noise in any detection technique. Monitoring of system calls to the keychain can help determine if there is a suspicious process trying to access it.

Contents