Credentials from Password Stores: Память securityd
Other sub-techniques of Credentials from Password Stores (6)
An adversary with root access may gather credentials by reading `securityd`’s memory. `securityd` is a service/daemon responsible for implementing security protocols such as encryption and authorization.(Citation: Apple Dev SecurityD) A privileged adversary may be able to scan through `securityd`'s memory to find the correct sequence of keys to decrypt the user’s logon keychain. This may provide the adversary with various plaintext passwords, such as those for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain)(Citation: OSX Keydnap malware) In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords.(Citation: OS X Keychain)(Citation: External to DA, the OS X Way) Apple’s `securityd` utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an adversary need only iterate over the other values to unlock the final password.(Citation: OS X Keychain)
Примеры процедур |
|
Название | Описание |
---|---|
Keydnap |
Keydnap uses the keychaindump project to read securityd memory.(Citation: synack 2016 review) |
Обнаружение
Monitor processes and command-line arguments for activity surrounded users searching for credentials or using automated tools to scan memory for passwords.
Ссылки
- Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017.
- Juuso Salonen. (2012, September 5). Breaking into the OS X keychain. Retrieved July 15, 2017.
- Apple. (n.d.). Security Server and Security Agent. Retrieved March 29, 2024.
- Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to DA, the OS X Way. Retrieved September 12, 2024.
- Patrick Wardle. (2017, January 1). Mac Malware of 2016. Retrieved September 21, 2018.
Связанные риски
Риск | Связи | |
---|---|---|
Раскрытие ключей (паролей) доступа
из-за
возможности получения паролей из Keychain
в ОС macOS
Конфиденциальность
Повышение привилегий
Раскрытие информации
Подмена пользователя
|
|
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.