security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
01dc930c173e329c191245b76f05de5fa4b5da21
blue-team-tools/rules/linux/macos/process_creation/macos_creds_from_keychain.yml
T
frack113 01dc930c17 Change status for old rules
2021-11-27 11:33:14 +01:00

31 lines
825 B
YAML
Raw Blame History

title: Credentials from Password Stores - Keychain
id: b120b587-a4c2-4b94-875d-99c9807d6955
status: test
description: Detects passwords dumps from Keychain
author: Tim Ismilyaev, oscd.community, Florian Roth
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md
- https://gist.github.com/Capybara/6228955
date: 2020/10/19
modified: 2021/11/27
logsource:
category: process_creation
product: macos
detection:
selection1:
Image: '/usr/bin/security'
CommandLine|contains:
- 'find-certificate'
- ' export '
selection2:
CommandLine|contains:
- ' dump-keychain '
- ' login-keychain '
condition: 1 of them
falsepositives:
- Legitimate administration activities
level: medium
tags:
- attack.credential_access
- attack.t1555.001
Reference in New Issue View Git Blame Copy Permalink