Esc
Keychain - T1555.001
(ATT&CK® Technique)
Definition
Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1555001["Keychain"] --> |accesses| MacOSKeychain["MacOS Keychain"]; class T1555001 OffensiveTechniqueNode;
class MacOSKeychain ArtifactNode; click MacOSKeychain href "/dao/artifact/d3f:MacOSKeychain";
click T1555001 href "/offensive-technique/attack/T1555.001/"; click MacOSKeychain href "/dao/artifact/d3f:MacOSKeychain"; T1555001["Keychain"] --> |accesses| PasswordStore["Password Store"]; class T1555001 OffensiveTechniqueNode;
class PasswordStore ArtifactNode; click PasswordStore href "/dao/artifact/d3f:PasswordStore";
click T1555001 href "/offensive-technique/attack/T1555.001/"; click PasswordStore href "/dao/artifact/d3f:PasswordStore"; T1555001["Keychain"] --> |may-access| DatabaseFile["Database File"]; class T1555001 OffensiveTechniqueNode;
class DatabaseFile ArtifactNode; click DatabaseFile href "/dao/artifact/d3f:DatabaseFile";
click T1555001 href "/offensive-technique/attack/T1555.001/"; click DatabaseFile href "/dao/artifact/d3f:DatabaseFile"; DecoyFile["Decoy File"] -->
| spoofs | DatabaseFile["Database File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1555001["Keychain"] ;
class DecoyFile DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | DatabaseFile["Database File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1555001["Keychain"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
| deletes | DatabaseFile["Database File"];
FileEviction["File Eviction"] -.->
| may-evict | T1555001["Keychain"] ;
class FileEviction DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
| encrypts | DatabaseFile["Database File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1555001["Keychain"] ;
class FileEncryption DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; ContentModification["Content Modification"] -->
| modifies | DatabaseFile["Database File"];
ContentModification["Content Modification"] -.->
| may-isolate | T1555001["Keychain"] ;
class ContentModification DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click ContentModification href "/technique/d3f:ContentModification"; ContentQuarantine["Content Quarantine"] -->
| quarantines | DatabaseFile["Database File"];
ContentQuarantine["Content Quarantine"] -.->
| may-isolate | T1555001["Keychain"] ;
class ContentQuarantine DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click ContentQuarantine href "/technique/d3f:ContentQuarantine"; LocalFilePermissions["Local File Permissions"] -->
| restricts | DatabaseFile["Database File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1555001["Keychain"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; FileAnalysis["File Analysis"] -->
| analyzes | DatabaseFile["Database File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1555001["Keychain"] ;
class FileAnalysis DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; ContentFiltering["Content Filtering"] -->
| filters | DatabaseFile["Database File"];
ContentFiltering["Content Filtering"] -.->
| may-isolate | T1555001["Keychain"] ;
class ContentFiltering DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click ContentFiltering href "/technique/d3f:ContentFiltering"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | DatabaseFile["Database File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1555001["Keychain"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RestoreDatabase["Restore Database"] -->
| restores | MacOSKeychain["MacOS Keychain"];
RestoreDatabase["Restore Database"] -.->
| may-restore | T1555001["Keychain"] ;
class RestoreDatabase DefensiveTechniqueNode;
class MacOSKeychain ArtifactNode;
click RestoreDatabase href "/technique/d3f:RestoreDatabase"; RestoreDatabase["Restore Database"] -->
| restores | PasswordStore["Password Store"];
class RestoreDatabase DefensiveTechniqueNode;
class PasswordStore ArtifactNode;
click RestoreDatabase href "/technique/d3f:RestoreDatabase"; RestoreFile["Restore File"] -->
| restores | DatabaseFile["Database File"];
RestoreFile["Restore File"] -.->
| may-restore | T1555001["Keychain"] ;
class RestoreFile DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile";