sigmaDRL-1.1from SigmaHQ/sigma
Credentials from Password Stores - Keychain
Detects passwords dumps from Keychain
Quality
84
FP risk
—
Forks
0
Views
0
ATT&CK techniques
Rule sourcerules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml
title: Credentials from Password Stores - Keychain
id: b120b587-a4c2-4b94-875d-99c9807d6955
status: test
description: Detects passwords dumps from Keychain
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md
- https://gist.github.com/Capybara/6228955
author: Tim Ismilyaev, oscd.community, Florian Roth (Nextron Systems)
date: 2020-10-19
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1555.001
logsource:
category: process_creation
product: macos
detection:
selection1:
Image: '/usr/bin/security'
CommandLine|contains:
- 'find-certificate'
- ' export '
selection2:
CommandLine|contains:
- ' dump-keychain '
- ' login-keychain '
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: medium