CircleCI Atomic Red Team doc generator
40 lines
1.5 KiB
Markdown
40 lines
1.5 KiB
Markdown
# T1142 - Keychain
|
||
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1142)
|
||
<blockquote>Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos. Keychain files are located in <code>~/Library/Keychains/</code>,<code>/Library/Keychains/</code>, and <code>/Network/Library/Keychains/</code>. (Citation: Wikipedia keychain) The <code>security</code> command-line utility, which is built into macOS by default, provides a useful way to manage these credentials.
|
||
|
||
To manage their credentials, users have to use additional credentials to access their keychain. If an adversary knows the credentials for the login keychain, then they can get access to all the other credentials stored in this vault. (Citation: External to DA, the OS X Way) By default, the passphrase for the keychain is the user’s logon credentials.</blockquote>
|
||
|
||
## Atomic Tests
|
||
|
||
- [Atomic Test #1 - Keychain](#atomic-test-1---keychain)
|
||
|
||
|
||
<br/>
|
||
|
||
## Atomic Test #1 - Keychain
|
||
### Keychain Files
|
||
|
||
~/Library/Keychains/
|
||
|
||
/Library/Keychains/
|
||
|
||
/Network/Library/Keychains/
|
||
|
||
[Security Reference](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html)
|
||
|
||
[Keychain dumper](https://github.com/juuso/keychaindump)
|
||
|
||
**Supported Platforms:** macOS
|
||
|
||
|
||
#### Run it with `sh`!
|
||
```
|
||
security -h
|
||
security find-certificate -a -p > allcerts.pem
|
||
security import /tmp/certs.pem -k
|
||
```
|
||
|
||
|
||
|
||
<br/>
|