Esc

Keychain - T1142

(ATT&CK® Technique)

Definition

Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos. Keychain files are located in ~/Library/Keychains/,/Library/Keychains/, and /Network/Library/Keychains/. The security command-line utility, which is built into macOS by default, provides a useful way to manage these credentials.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1142["Keychain"] --> |accesses| EncryptedCredential["Encrypted Credential"]; class T1142 OffensiveTechniqueNode;
        class EncryptedCredential ArtifactNode; click EncryptedCredential href "/dao/artifact/d3f:EncryptedCredential";
        click T1142 href "/offensive-technique/attack/T1142/"; click EncryptedCredential href "/dao/artifact/d3f:EncryptedCredential";             ReissueCredential["Reissue Credential"] -->
          | restores | EncryptedCredential["Encrypted Credential"];

          ReissueCredential["Reissue Credential"] -.->
            | may-restore | T1142["Keychain"] ;
          class ReissueCredential DefensiveTechniqueNode;
          class EncryptedCredential ArtifactNode;
          click ReissueCredential href "/technique/d3f:ReissueCredential"; Multi-factorAuthentication["Multi-factor Authentication"] -->
          | uses | EncryptedCredential["Encrypted Credential"];

          Multi-factorAuthentication["Multi-factor Authentication"] -.->
            | may-harden | T1142["Keychain"] ;
          class Multi-factorAuthentication DefensiveTechniqueNode;
          class EncryptedCredential ArtifactNode;
          click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; CredentialRotation["Credential Rotation"] -->
          | regenerates | EncryptedCredential["Encrypted Credential"];

          CredentialRotation["Credential Rotation"] -.->
            | may-harden | T1142["Keychain"] ;
          class CredentialRotation DefensiveTechniqueNode;
          class EncryptedCredential ArtifactNode;
          click CredentialRotation href "/technique/d3f:CredentialRotation";                                  DecoyUserCredential["Decoy User Credential"] -->
          | spoofs | EncryptedCredential["Encrypted Credential"];

          DecoyUserCredential["Decoy User Credential"] -.->
            | may-deceive | T1142["Keychain"] ;
          class DecoyUserCredential DefensiveTechniqueNode;
          class EncryptedCredential ArtifactNode;
          click DecoyUserCredential href "/technique/d3f:DecoyUserCredential"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
          | analyzes | EncryptedCredential["Encrypted Credential"];

          CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.->
            | may-detect | T1142["Keychain"] ;
          class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
          class EncryptedCredential ArtifactNode;
          click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis";                           CredentialRevocation["Credential Revocation"] -->
          | deletes | EncryptedCredential["Encrypted Credential"];

          CredentialRevocation["Credential Revocation"] -.->
            | may-evict | T1142["Keychain"] ;
          class CredentialRevocation DefensiveTechniqueNode;
          class EncryptedCredential ArtifactNode;
          click CredentialRevocation href "/technique/d3f:CredentialRevocation"; CredentialTransmissionScoping["Credential Transmission Scoping"] -->
          | isolates | EncryptedCredential["Encrypted Credential"];

          CredentialTransmissionScoping["Credential Transmission Scoping"] -.->
            | may-isolate | T1142["Keychain"] ;
          class CredentialTransmissionScoping DefensiveTechniqueNode;
          class EncryptedCredential ArtifactNode;
          click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping";                           CredentialHardening["Credential Hardening"] -->
          | hardens | EncryptedCredential["Encrypted Credential"];

          CredentialHardening["Credential Hardening"] -.->
            | may-harden | T1142["Keychain"] ;
          class CredentialHardening DefensiveTechniqueNode;
          class EncryptedCredential ArtifactNode;
          click CredentialHardening href "/technique/d3f:CredentialHardening";                    AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
          | deletes | EncryptedCredential["Encrypted Credential"];

          AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.->
            | may-evict | T1142["Keychain"] ;
          class AuthenticationCacheInvalidation DefensiveTechniqueNode;
          class EncryptedCredential ArtifactNode;
          click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation";

json