T1142

🏡

Mac/Credential_Access/Keychain.md

@@ -1,32 +0,0 @@
-# Keychain
-
-MITRE ATT&CK Technique: [T1142](https://attack.mitre.org/wiki/Technique/T1142)
-
-### Keychain Files
-
-    ~/Library/Keychains/
-
-    /Library/Keychains/
-
-    /Network/Library/Keychains/
-
-### security command line
-
-Input:
-
-    security -h
-
-Input:
-
-    security find-certificate -a -p > allcerts.pem
-
-Input:
-
-    security import /tmp/certs.pem -k
-
-
-### References
-
-[Security Reference](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html)
-
-[Keychain dumper](https://github.com/juuso/keychaindump)

atomics/T1142/T1142.yaml

@@ -0,0 +1,29 @@
+---
+attack_technique: T1142
+display_name: Keychain
+
+atomic_tests:
+- name: Keychain
+  description: |
+    ### Keychain Files
+
+      ~/Library/Keychains/
+
+      /Library/Keychains/
+
+      /Network/Library/Keychains/
+
+      [Security Reference](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html)
+
+      [Keychain dumper](https://github.com/juuso/keychaindump)
+
+
+  supported_platforms:
+    - macos
+
+  executor:
+    name: sh
+    command: |
+      security -h
+      security find-certificate -a -p > allcerts.pem
+      security import /tmp/certs.pem -k