T1555.001 Keychain
Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service.
Keychains can be viewed and edited through the Keychain Access application or using the command-line utility security. Keychain files are located in ~/Library/Keychains/, /Library/Keychains/, and /Network/Library/Keychains/.254
Adversaries may gather user credentials from Keychain storage/memory. For example, the command security dump-keychain –d will dump all Login Keychain credentials from ~/Library/Keychains/login.keychain-db. Adversaries may also directly read Login Keychain credentials from the ~/Library/Keychains/login.keychain file. Both methods require a password, where the default password for the Login Keychain is the current user’s password to login to the macOS host.13
| Item | Value |
|---|---|
| ID | T1555.001 |
| Sub-techniques | T1555.001, T1555.002, T1555.003, T1555.004, T1555.005 |
| Tactics | TA0006 |
| Platforms | macOS |
| Version | 1.1 |
| Created | 12 February 2020 |
| Last Modified | 18 April 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0274 | Calisto | Calisto collects Keychain storage data and copies those passwords/tokens to a file.1112 |
| S0690 | Green Lambert | Green Lambert can use Keychain Services API functions to find and collect passwords, such as SecKeychainFindInternetPassword and SecKeychainItemCopyAttributesAndData.89 |
| S0278 | iKitten | iKitten collects the keychains on the system.10 |
| S0349 | LaZagne | LaZagne can obtain credentials from macOS Keychains.6 |
| S1016 | MacMa | MacMa can dump credentials from the macOS keychain.7 |
| S0279 | Proton | Proton gathers credentials in files for keychains.10 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1027 | Password Policies | The password for the user’s login keychain can be changed from the user’s login password. This increases the complexity for an adversary because they need to know an additional password. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Access |
| DS0009 | Process | OS API Execution |
References
-
Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to DA, the OS X Way. Retrieved July 3, 2017. ↩
-
Apple. (n.d.). Keychain Services. Retrieved April 11, 2022. ↩
-
Empire. (2018, March 8). Empire keychaindump_decrypt Module. Retrieved April 14, 2022. ↩
-
Jan Schaumann. (2015, November 5). Using the OS X Keychain to store and retrieve passwords. Retrieved March 31, 2022. ↩
-
Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption. Retrieved April 13, 2022. ↩
-
Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018. ↩
-
M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022. ↩
-
Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022. ↩
-
Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved March 21, 2022. ↩
-
Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018. ↩↩
-
Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018. ↩
-
Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018. ↩