Credentials from Password Stores: Keychain

Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service.

Keychains can be viewed and edited through the Keychain Access application or using the command-line utility security. Keychain files are located in ~/Library/Keychains/, /Library/Keychains/, and /Network/Library/Keychains/.[1][2][3]

Adversaries may gather user credentials from Keychain storage/memory. For example, the command security dump-keychain –d will dump all Login Keychain credentials from ~/Library/Keychains/login.keychain-db. Adversaries may also directly read Login Keychain credentials from the ~/Library/Keychains/login.keychain file. Both methods require a password, where the default password for the Login Keychain is the current user’s password to login to the macOS host.[4][5]

ID: T1555.001
Sub-technique of:  T1555
Platforms: macOS
Version: 1.1
Created: 12 February 2020
Last Modified: 18 April 2022

Procedure Examples

ID Name Description
S0274 Calisto

Calisto collects Keychain storage data and copies those passwords/tokens to a file.[6][7]

S0690 Green Lambert

Green Lambert can use Keychain Services API functions to find and collect passwords, such as SecKeychainFindInternetPassword and SecKeychainItemCopyAttributesAndData.[8][9]

S0278 iKitten

iKitten collects the keychains on the system.[10]

S0349 LaZagne

LaZagne can obtain credentials from macOS Keychains.[11]

S0279 Proton

Proton gathers credentials in files for keychains.[10]

Mitigations

ID Mitigation Description
M1027 Password Policies

The password for the user's login keychain can be changed from the user's login password. This increases the complexity for an adversary because they need to know an additional password.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Access
DS0009 Process OS API Execution
Process Creation

Unlocking the keychain and using passwords from it is a very common process, so there is likely to be a lot of noise in any detection technique. Monitoring of system calls to the keychain can help determine if there is a suspicious process trying to access it.

References