Credentials from Password Stores: Keychain
Adversaries may collect the keychain storage data from a system to acquire machine identities. Keychains are the built-in way for macOS to keep track of users' keys and credentials for various services and features, such as certificates. Keychain files are located in
By default, the passphrase for the keychain is the user’s logon credentials. Adversaries with access to the victim's machine, can use the logon credentials for the keychain login and then access to all the information stored in the vault.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
Unlocking the keychain and using passwords from it is a very common process, so there is likely to be a lot of noise in any detection technique. Monitoring of system calls to the keychain can help determine if there is a suspicious process trying to access it.
Created: 29 December 2020
Last Modified: 29 December 2020