Credentials from Password Stores: Keychain

Adversaries may collect the keychain storage data from a system to acquire machine identities. Keychains are the built-in way for macOS to keep track of users' keys and credentials for various services and features, such as certificates. Keychain files are located in ~/Library/Keychains/,/Library/Keychains/, and /Network/Library/Keychains/.

By default, the passphrase for the keychain is the user’s logon credentials. Adversaries with access to the victim's machine, can use the logon credentials for the keychain login and then access to all the information stored in the vault.

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Unlocking the keychain and using passwords from it is a very common process, so there is likely to be a lot of noise in any detection technique. Monitoring of system calls to the keychain can help determine if there is a suspicious process trying to access it.

Attachments

ID
VT0021.001
Sub-techniques
Tactic
Credential Access
Platforms
macOS
Permissions Required
Administrator
Data Sources
API monitoring
File monitoring
PowerShell logs
Process monitoring
System calls
Version
1.0

Created: 29 December 2020

Last Modified: 29 December 2020