Credentials from Password Stores:  Связка ключей

Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service. Keychains can be viewed and edited through the Keychain Access application or using the command-line utility security. Keychain files are located in ~/Library/Keychains/, /Library/Keychains/, and /Network/Library/Keychains/.(Citation: Keychain Services Apple)(Citation: Keychain Decryption Passware)(Citation: OSX Keychain Schaumann) Adversaries may gather user credentials from Keychain storage/memory. For example, the command security dump-keychain –d will dump all Login Keychain credentials from ~/Library/Keychains/login.keychain-db. Adversaries may also directly read Login Keychain credentials from the ~/Library/Keychains/login.keychain file. Both methods require a password, where the default password for the Login Keychain is the current user’s password to login to the macOS host.(Citation: External to DA, the OS X Way)(Citation: Empire Keychain Decrypt)

ID: T1555.001
Относится к технике:  T1555
Тактика(-и): Credential Access
Платформы: macOS
Источники данных: Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation
Версия: 1.1
Дата создания: 12 Feb 2020
Последнее изменение: 18 Apr 2022

Примеры процедур

Название Описание
Green Lambert

Green Lambert can use Keychain Services API functions to find and collect passwords, such as `SecKeychainFindInternetPassword` and `SecKeychainItemCopyAttributesAndData`.(Citation: Objective See Green Lambert for OSX Oct 2021)(Citation: Glitch-Cat Green Lambert ATTCK Oct 2021)

Proton

Proton gathers credentials in files for keychains.(Citation: objsee mac malware 2017)

MacMa

MacMa can dump credentials from the macOS keychain.(Citation: ESET DazzleSpy Jan 2022)

LaZagne

LaZagne can obtain credentials from macOS Keychains.(Citation: GitHub LaZagne Dec 2018)

Calisto

Calisto collects Keychain storage data and copies those passwords/tokens to a file.(Citation: Securelist Calisto July 2018)(Citation: Symantec Calisto July 2018)

iKitten

iKitten collects the keychains on the system.(Citation: objsee mac malware 2017)

Контрмеры

Контрмера Описание
Password Policies

Set and enforce secure password policies for accounts.

Обнаружение

Unlocking the keychain and using passwords from it is a very common process, so there is likely to be a lot of noise in any detection technique. Monitoring of system calls to the keychain can help determine if there is a suspicious process trying to access it.

Каталоги

БДУ ФСТЭК:
УБИ.074 Угроза несанкционированного доступа к аутентификационной информации
Угроза заключается в возможности извлечения паролей, имён пользователей или других учётных данных из оперативной памяти компьюте...