From 96a5643aa4fe59934136e430ad5e284cbf91d009 Mon Sep 17 00:00:00 2001 From: Michael Haag <“mike@redcanary.com git config --global user.name “Michael Haag> Date: Fri, 25 May 2018 11:29:46 -0400 Subject: [PATCH] T1142 :house_with_garden: --- Mac/Credential_Access/Keychain.md | 32 ------------------------------- atomics/T1142/T1142.yaml | 29 ++++++++++++++++++++++++++++ 2 files changed, 29 insertions(+), 32 deletions(-) delete mode 100644 Mac/Credential_Access/Keychain.md create mode 100644 atomics/T1142/T1142.yaml diff --git a/Mac/Credential_Access/Keychain.md b/Mac/Credential_Access/Keychain.md deleted file mode 100644 index 0af2889b..00000000 --- a/Mac/Credential_Access/Keychain.md +++ /dev/null @@ -1,32 +0,0 @@ -# Keychain - -MITRE ATT&CK Technique: [T1142](https://attack.mitre.org/wiki/Technique/T1142) - -### Keychain Files - - ~/Library/Keychains/ - - /Library/Keychains/ - - /Network/Library/Keychains/ - -### security command line - -Input: - - security -h - -Input: - - security find-certificate -a -p > allcerts.pem - -Input: - - security import /tmp/certs.pem -k - - -### References - -[Security Reference](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html) - -[Keychain dumper](https://github.com/juuso/keychaindump) diff --git a/atomics/T1142/T1142.yaml b/atomics/T1142/T1142.yaml new file mode 100644 index 00000000..c546e9d6 --- /dev/null +++ b/atomics/T1142/T1142.yaml @@ -0,0 +1,29 @@ +--- +attack_technique: T1142 +display_name: Keychain + +atomic_tests: +- name: Keychain + description: | + ### Keychain Files + + ~/Library/Keychains/ + + /Library/Keychains/ + + /Network/Library/Keychains/ + + [Security Reference](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html) + + [Keychain dumper](https://github.com/juuso/keychaindump) + + + supported_platforms: + - macos + + executor: + name: sh + command: | + security -h + security find-certificate -a -p > allcerts.pem + security import /tmp/certs.pem -k