Common Information
Type | Value |
---|---|
Value |
Keychain - T1555.001 |
Category | Attack-Pattern |
Type | Mitre-Attack-Pattern |
Misp Type | Cluster |
Description | Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service. Keychains can be viewed and edited through the Keychain Access application or using the command-line utility <code>security</code>. Keychain files are located in <code>~/Library/Keychains/</code>, <code>/Library/Keychains/</code>, and <code>/Network/Library/Keychains/</code>.(Citation: Keychain Services Apple)(Citation: Keychain Decryption Passware)(Citation: OSX Keychain Schaumann) Adversaries may gather user credentials from Keychain storage/memory. For example, the command <code>security dump-keychain –d</code> will dump all Login Keychain credentials from <code>~/Library/Keychains/login.keychain-db</code>. Adversaries may also directly read Login Keychain credentials from the <code>~/Library/Keychains/login.keychain</code> file. Both methods require a password, where the default password for the Login Keychain is the current user’s password to login to the macOS host.(Citation: External to DA, the OS X Way)(Citation: Empire Keychain Decrypt) |
Details | Published | Attributes | CTI | Title | ||
---|---|---|---|---|---|---|
Details | Website | 2025-02-11 | 0 | Password100 | ||
Details | Website | 2025-02-10 | 29 | MITRE ATT&CK T1555 Credentials from Password Stores | ||
Details | Website | 2025-02-08 | 2 | How To Hack Icloud! Guide (2025) | ||
Details | Website | 2025-02-02 | 4 | macOS security fundamentals for red team professionals | ||
Details | Website | 2025-01-30 | 29 | Stealers on the Rise: A Closer Look at a Growing macOS Threat | ||
Details | Website | 2025-01-30 | 1 | Lazarus Group Drop Malicious NPM Packages in Developers Systems Remotely | ||
Details | Website | 2025-01-29 | 2 | How to Find Old Accounts for Deletion | ||
Details | Website | 2025-01-20 | 5 | Developers, be careful when installing homebrew | ||
Details | Website | 2025-01-20 | 7 | Fake Microsoft Teams For Mac Delivers Atomic Stealer - RedPacket Security | ||
Details | Website | 2025-01-20 | 37 | 2024 macOS Malware Review | Infostealers, Backdoors, and APT Campaigns Targeting the Enterprise | ||
Details | Website | 2025-01-18 | 1 | I Found Some Best Ways To Store JWT (JSON Web Token) in Flutter. | ||
Details | Website | 2025-01-17 | 0 | Lazarus Group Targets Developers in New Data Theft Campaign | ||
Details | Website | 2025-01-16 | 3 | Potential Stealer: Purrglar in Progress | ||
Details | Website | 2025-01-15 | 4 | Basics of Bypassing Authentication Mechanisms | ||
Details | Website | 2025-01-14 | 2 | Building OSX Chrome Harvester | ||
Details | Website | 2025-01-13 | 8 | Open Bullet 2: The Preferred Credential Stuffing Tool for Bots | ||
Details | Website | 2025-01-12 | 0 | Understanding Cybersecurity and Mobile Security | ||
Details | Website | 2025-01-12 | 12 | Sightless | HTB Writeup | ||
Details | Website | 2025-01-10 | 0 | Banshee macOS stealer supports new evasion mechanisms | ||
Details | Website | 2025-01-09 | 144 | Banshee: The Stealer That "Stole Code" From MacOS XProtect - Check Point Research | ||
Details | Website | 2025-01-09 | 38 | The Feed 2025–01–09 | ||
Details | Website | 2025-01-06 | 11 | Breaking Through Chromium Protections | ||
Details | Website | 2025-01-06 | 9 | North Korean Hackers Wipe Cryptocurrency Wallets via Fake Job Interviews | ||
Details | Website | 2025-01-06 | 19 | 북한 라자루스(Lazarus)에서 만든 브라우저 악성코드-11.js(2024.12.28) | ||
Details | Website | 2025-01-02 | 6 | 一个你女朋友可以把你 Uniswap 钱包资产全部转走的 0 day 漏洞 | CTF导航 |