Skip to content

Latest commit

 

History

History
47 lines (22 loc) · 1.54 KB

T1142.md

File metadata and controls

47 lines (22 loc) · 1.54 KB

T1142 - Keychain

Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos. Keychain files are located in ~/Library/Keychains/,/Library/Keychains/, and /Network/Library/Keychains/. (Citation: Wikipedia keychain) The security command-line utility, which is built into macOS by default, provides a useful way to manage these credentials.

To manage their credentials, users have to use additional credentials to access their keychain. If an adversary knows the credentials for the login keychain, then they can get access to all the other credentials stored in this vault. (Citation: External to DA, the OS X Way) By default, the passphrase for the keychain is the user’s logon credentials.

Atomic Tests


Atomic Test #1 - Keychain

Keychain Files

~/Library/Keychains/

/Library/Keychains/

/Network/Library/Keychains/

Security Reference

Keychain dumper

Supported Platforms: macOS

Attack Commands: Run with sh!

security -h
security find-certificate -a -p > allcerts.pem
security import /tmp/certs.pem -k