MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1555.001: Keychain

Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service.

Keychains can be viewed and edited through the Keychain Access application or using the command-line utility security. Keychain files are located in ~/Library/Keychains/, /Library/Keychains/, and /Network/Library/Keychains/.

Adversaries may gather user credentials from Keychain storage/memory. For example, the command security dump-keychain –d will dump all Login Keychain credentials from ~/Library/Keychains/login.keychain-db. Adversaries may also directly read Login Keychain credentials from the ~/Library/Keychains/login.keychain file. Both methods require a password, where the default password for the Login Keychain is the current user’s password to login to the macOS host.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

hacking_tools: PT-CR-758: Lazagne_Usage: Use of the LaZagne tool to dump credentials is detected

Detection

IDDS0022Data source and componentFile: File AccessDescription

Monitor for Keychain files being accessed that may be related to malicious credential collection.

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor processes spawned by command line utilities to manipulate keychains directly, such as security, combined with arguments to collect passwords, such as dump-keychain -d.

IDDS0009Data source and componentProcess: OS API ExecutionDescription

Monitor for Keychain Services API calls, specifically legacy extensions such as SecKeychainFindInternetPassword, that may collect Keychain data from a system to acquire credentials.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands with arguments that may be used to collect Keychain data from a system to acquire credentials.

Mitigation

IDM1027NamePassword PoliciesDescription

The password for the user's login keychain can be changed from the user's login password. This increases the complexity for an adversary because they need to know an additional password.