Credentials from Password Stores: Keychain

Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos. Keychain files are located in ~/Library/Keychains/,/Library/Keychains/, and /Network/Library/Keychains/. [1] The security command-line utility, which is built into macOS by default, provides a useful way to manage these credentials.

To manage their credentials, users have to use additional credentials to access their keychain. If an adversary knows the credentials for the login keychain, then they can get access to all the other credentials stored in this vault. [2] By default, the passphrase for the keychain is the user’s logon credentials.

ID: T1555.001
Sub-technique of:  T1555
Platforms: macOS
Permissions Required: Administrator
Version: 1.0
Created: 12 February 2020
Last Modified: 17 February 2020
Provided by LAYER 8

Procedure Examples

ID Name Description
S0274 Calisto

Calisto collects Keychain storage data and copies those passwords/tokens to a file.[3][4]

S0278 iKitten

iKitten collects the keychains on the system.[5]

S0349 LaZagne

LaZagne can obtain credentials from macOS Keychains.[6]

S0279 Proton

Proton gathers credentials in files for keychains.[5]

Mitigations

ID Mitigation Description
M1027 Password Policies

The password for the user's login keychain can be changed from the user's login password. This increases the complexity for an adversary because they need to know an additional password.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Access
DS0009 Process OS API Execution

Unlocking the keychain and using passwords from it is a very common process, so there is likely to be a lot of noise in any detection technique. Monitoring of system calls to the keychain can help determine if there is a suspicious process trying to access it.

References