cti/enterprise-attack/attack-pattern/attack-pattern--2715c335-1bf2-4efe-9f18-0691317ff83b.json

{
    "type": "bundle",
    "id": "bundle--62b2a353-2d93-478c-a293-8c8d2e16a729",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "attack-pattern",
            "id": "attack-pattern--2715c335-1bf2-4efe-9f18-0691317ff83b",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "created": "2017-12-14T16:46:06.044Z",
            "modified": "2018-01-17T12:56:55.080Z",
            "name": "Securityd Memory",
            "description": "In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple\u2019s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords. (Citation: OS X Keychain) (Citation: External to DA, the OS X Way) Apple\u2019s securityd utility takes the user\u2019s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user\u2019s password, but once the master key is found, an attacker need only iterate over the other values to unlock the final password. (Citation: OS X Keychain)\n\nIf an adversary can obtain root access (allowing them to read securityd\u2019s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user\u2019s logon keychain. This provides the adversary with all the plaintext passwords for users, WiFi, mail, browsers, certificates, secure notes, etc. (Citation: OS X Keychain) (Citation: OSX Keydnap malware)\n\nPlatforms: macOS\n\nData Sources: Process Monitoring\n\nPermissions Required: root",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-attack",
                    "phase_name": "credential-access"
                }
            ],
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/wiki/Technique/T1167",
                    "external_id": "T1167"
                },
                {
                    "source_name": "OS X Keychain",
                    "description": "Juuso Salonen. (2012, September 5). Breaking into the OS X keychain. Retrieved July 15, 2017.",
                    "url": "http://juusosalonen.com/post/30923743427/breaking-into-the-os-x-keychain"
                },
                {
                    "source_name": "External to DA, the OS X Way",
                    "description": "Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to DA, the OS X Way. Retrieved July 3, 2017.",
                    "url": "http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way"
                },
                {
                    "source_name": "OSX Keydnap malware",
                    "description": "Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017.",
                    "url": "https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "x_mitre_data_sources": [
                "Process Monitoring"
            ],
            "x_mitre_permissions_required": [
                "root"
            ],
            "x_mitre_platforms": [
                "macOS"
            ]
        }
    ]
}