Synopsis
Description
An unusual process accessed a Keychain file. This might indicate a credential grabbing attempt.
Attacker's Goals
Obtain access to credentials stored in the Keychain file.
Investigative actions
- Determine whether it is legitimate for the process to access credential data directly.
- Analyze the process/application that touched the Keychain.
- Check for any other suspicious actions that were performed by the process.
- Look for unusual access to resources using credentials stored on said Keychain.
Variations
Rare process accessed a Keychain file using the networksetup tool
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
High |
Description
An unusual process accessed a Keychain file. This might indicate a credential grabbing attempt.
Attacker's Goals
Obtain access to credentials stored in the Keychain file.
Investigative actions
- Determine whether it is legitimate for the process to access credential data directly.
- Analyze the process/application that touched the Keychain.
- Check for any other suspicious actions that were performed by the process.
- Look for unusual access to resources using credentials stored on said Keychain.
Rare process accessed a Keychain file while installing a new certificate
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Medium |
Description
An unusual process accessed a Keychain file. This might indicate a credential grabbing attempt.
Attacker's Goals
Obtain access to credentials stored in the Keychain file.
Investigative actions
- Determine whether it is legitimate for the process to access credential data directly.
- Analyze the process/application that touched the Keychain.
- Check for any other suspicious actions that were performed by the process.
- Look for unusual access to resources using credentials stored on said Keychain.
Rare process accessed a Keychain file initiated by a causality actor with a rare path
Synopsis
Description
An unusual process accessed a Keychain file. This might indicate a credential grabbing attempt.
Attacker's Goals
Obtain access to credentials stored in the Keychain file.
Investigative actions
- Determine whether it is legitimate for the process to access credential data directly.
- Analyze the process/application that touched the Keychain.
- Check for any other suspicious actions that were performed by the process.
- Look for unusual access to resources using credentials stored on said Keychain.
Rare process accessed a Keychain file initiated by an unsigned causality actor
Synopsis
Description
An unusual process accessed a Keychain file. This might indicate a credential grabbing attempt.
Attacker's Goals
Obtain access to credentials stored in the Keychain file.
Investigative actions
- Determine whether it is legitimate for the process to access credential data directly.
- Analyze the process/application that touched the Keychain.
- Check for any other suspicious actions that were performed by the process.
- Look for unusual access to resources using credentials stored on said Keychain.
Rare unsigned process accessed a Keychain file
Synopsis
Description
An unusual process accessed a Keychain file. This might indicate a credential grabbing attempt.
Attacker's Goals
Obtain access to credentials stored in the Keychain file.
Investigative actions
- Determine whether it is legitimate for the process to access credential data directly.
- Analyze the process/application that touched the Keychain.
- Check for any other suspicious actions that were performed by the process.
- Look for unusual access to resources using credentials stored on said Keychain.