Description
Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service.
Keychains can be viewed and edited through the Keychain Access application or using the command-line utility security. Keychain files are located in ~/Library/Keychains/, /Library/Keychains/, and /Network/Library/Keychains/.(Citation: Keychain Services Apple)(Citation: Keychain Decryption Passware)(Citation: OSX Keychain Schaumann)
Adversaries may gather user credentials from Keychain storage/memory. For example, the command security dump-keychain –d will dump all Login Keychain credentials from ~/Library/Keychains/login.keychain-db. Adversaries may also directly read Login Keychain credentials from the ~/Library/Keychains/login.keychain file. Both methods require a password, where the default password for the Login Keychain is the current user’s password to login to the macOS host.(Citation: External to DA, the OS X Way)(Citation: Empire Keychain Decrypt)
Platforms
Mitigations (1)
Password PoliciesM1027
The password for the user's login keychain can be changed from the user's login password. This increases the complexity for an adversary because they need to know an additional password.
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) has leveraged malware variants configured to dump credentials from the macOS keychain.(C... |
Associated Software (11)
| ID | Name | Type | Context |
|---|---|---|---|
| S1185 | LightSpy | Malware | [LightSpy](https://attack.mitre.org/software/S1185) performs an in-memory keychain query via `SecItemCopyMatching()` then formats the retrieved data a... |
| S9010 | GlassWorm | Malware | [GlassWorm](https://attack.mitre.org/software/S9010) has collected keys stored within `/Library/Keychains/login.keychain-db`.(Citation: Koi Glassworm ... |
| S0690 | Green Lambert | Malware | [Green Lambert](https://attack.mitre.org/software/S0690) can use Keychain Services API functions to find and collect passwords, such as `SecKeychainFi... |
| S0363 | Empire | Tool | [Empire](https://attack.mitre.org/software/S0363) uses the command `/usr/bin/security dump-keychain -d` to read the keychain credential.(Citation: Emp... |
| S0279 | Proton | Malware | [Proton](https://attack.mitre.org/software/S0279) gathers credentials in files for keychains.(Citation: objsee mac malware 2017) |
| S1016 | MacMa | Malware | [MacMa](https://attack.mitre.org/software/S1016) can dump credentials from the macOS keychain.(Citation: ESET DazzleSpy Jan 2022) |
| S0349 | LaZagne | Tool | [LaZagne](https://attack.mitre.org/software/S0349) can obtain credentials from macOS Keychains.(Citation: GitHub LaZagne Dec 2018) |
| S0274 | Calisto | Malware | [Calisto](https://attack.mitre.org/software/S0274) collects Keychain storage data and copies those passwords/tokens to a file.(Citation: Securelist Ca... |
| S1153 | Cuckoo Stealer | Malware | [Cuckoo Stealer](https://attack.mitre.org/software/S1153) can capture files from a targeted user's keychain directory.(Citation: Kandji Cuckoo April 2... |
| S0278 | iKitten | Malware | [iKitten](https://attack.mitre.org/software/S0278) collects the keychains on the system.(Citation: objsee mac malware 2017) |
| S1246 | BeaverTail | Malware | [BeaverTail](https://attack.mitre.org/software/S1246) has collected keys associated with macOS within `/Library/Keychains/login.keychain`.(Citation: S... |
References
- Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to DA, the OS X Way. Retrieved September 12, 2024.
- Apple. (n.d.). Keychain Services. Retrieved April 11, 2022.
- Empire. (2018, March 8). Empire keychaindump_decrypt Module. Retrieved April 14, 2022.
- Jan Schaumann. (2015, November 5). Using the OS X Keychain to store and retrieve passwords. Retrieved March 31, 2022.
- Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption. Retrieved April 13, 2022.
Frequently Asked Questions
What is T1555.001 (Keychain)?
T1555.001 is a MITRE ATT&CK technique named 'Keychain'. It belongs to the Credential Access tactic(s). Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive...
How can T1555.001 be detected?
Detection of T1555.001 (Keychain) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1555.001?
There are 1 documented mitigations for T1555.001. Key mitigations include: Password Policies.
Which threat groups use T1555.001?
Known threat groups using T1555.001 include: Contagious Interview.