T1555.001 - Credentials from Password Stores: Keychain
Description from ATT&CK (opens in a new tab)
Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service.
Keychains can be viewed and edited through the Keychain Access application or using the command-line utility
security. Keychain files are located in~/Library/Keychains/,/Library/Keychains/, and/Network/Library/Keychains/.(Citation: Keychain Services Apple)(Citation: Keychain Decryption Passware)(Citation: OSX Keychain Schaumann)Adversaries may gather user credentials from Keychain storage/memory. For example, the command
security dump-keychain –dwill dump all Login Keychain credentials from. Adversaries may also directly read Login Keychain credentials from the/Library/Keychains/login.keychain-db/Library/Keychains/login.keychainfile. Both methods require a password, where the default password for the Login Keychain is the current user’s password to login to the macOS host.(Citation: External to DA, the OS X Way)(Citation: Empire Keychain Decrypt)
Atomic Tests
Atomic Test #1 - Keychain Dump
This command will dump keychain credential information from login.keychain. Source: https://www.loobins.io/binaries/security/ (opens in a new tab)
Keychain File path
~/Library/Keychains/ /Library/Keychains/ /Network/Library/Keychains/ Security Reference (opens in a new tab)
Supported Platforms: macOS
auto_generated_guid: 88e1fa00-bf63-4e5b-a3e1-e2ea51c8cca6
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
sudo security dump-keychain -d login.keychainAtomic Test #2 - Export Certificate Item(s)
This command finds all certificate items and sends the output to local file in pem format.
Supported Platforms: macOS
auto_generated_guid: 1864fdec-ff86-4452-8c30-f12507582a93
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| cert_export | Specify the path of the certificates to export. | path | /tmp/certs.pem |
Attack Commands: Run with sh!
security find-certificate -a -p > #{cert_export}Cleanup Commands:
rm #{cert_export}Atomic Test #3 - Import Certificate Item(s) into Keychain
This command will import a certificate pem file into a keychain.
Supported Platforms: macOS
auto_generated_guid: e544bbcb-c4e0-4bd0-b614-b92131635f59
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| cert_export | Specify the path of the pem certificate file to import. | path | /tmp/certs.pem |
Attack Commands: Run with sh!
security import #{cert_export} -kAtomic Test #4 - Copy Keychain using cat utility
This command will copy the keychain using the cat utility in a manner similar to Atomic Stealer.
Supported Platforms: macOS
auto_generated_guid: 5c32102a-c508-49d3-978f-288f8a9f6617
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| keychain_export | Specify the path to copy they keychain into. | path | /tmp/keychain |
Attack Commands: Run with sh!
cat ~/Library/Keychains/login.keychain-db > #{keychain_export}Cleanup Commands:
rm #{keychain_export}