From faddf2fe1e0ad71efa8d438095022ff187fefc65 Mon Sep 17 00:00:00 2001
From: Tony M Lambert <ForensicITGuy@users.noreply.github.com>
Date: Wed, 5 Feb 2025 16:01:29 -0600
Subject: [PATCH] T1555.001 Copy Keychain via cat (#3048)

Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>
---
 atomics/T1555.001/T1555.001.yaml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/atomics/T1555.001/T1555.001.yaml b/atomics/T1555.001/T1555.001.yaml
index f01eed26..c7624569 100644
--- a/atomics/T1555.001/T1555.001.yaml
+++ b/atomics/T1555.001/T1555.001.yaml
@@ -55,3 +55,20 @@ atomic_tests:
       security import #{cert_export} -k
     name: sh
     elevation_required: false
+
+- name: Copy Keychain using cat utility
+  description: |
+    This command will copy the keychain using the cat utility in a manner similar to Atomic Stealer.
+  supported_platforms:
+  - macos
+  input_arguments:
+    keychain_export:
+      description: Specify the path to copy they keychain into.
+      type: path
+      default: /tmp/keychain
+  executor:
+    command: |
+      cat ~/Library/Keychains/login.keychain-db > #{keychain_export}
+    cleanup_command: 'rm #{keychain_export}'
+    name: sh
+    elevation_required: false