Keychain Password Retrieval via Command Line

Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/01/06"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the
 11built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi
 12and website passwords, secure notes, certificates, and Kerberos.
 13"""
 14false_positives = ["Applications for password management."]
 15from = "now-9m"
 16index = ["logs-endpoint.events.*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Keychain Password Retrieval via Command Line"
 20references = [
 21    "https://www.netmeister.org/blog/keychain-passwords.html",
 22    "https://github.com/priyankchheda/chrome_password_grabber/blob/master/chrome.py",
 23    "https://ss64.com/osx/security.html",
 24    "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/",
 25]
 26risk_score = 73
 27rule_id = "9092cd6c-650f-4fa3-8a8a-28256c7489c9"
 28setup = """## Setup
 29
 30This rule requires data coming in from Elastic Defend.
 31
 32### Elastic Defend Integration Setup
 33Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 34
 35#### Prerequisite Requirements:
 36- Fleet is required for Elastic Defend.
 37- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 38
 39#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
 40- Go to the Kibana home page and click "Add integrations".
 41- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 42- Click "Add Elastic Defend".
 43- Configure the integration name and optionally add a description.
 44- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
 45- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 46- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 47- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 48For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
 49- Click "Save and Continue".
 50- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 51For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 52"""
 53severity = "high"
 54tags = [
 55    "Domain: Endpoint",
 56    "OS: macOS",
 57    "Use Case: Threat Detection",
 58    "Tactic: Credential Access",
 59    "Data Source: Elastic Defend",
 60    "Resources: Investigation Guide",
 61]
 62timestamp_override = "event.ingested"
 63type = "eql"
 64
 65query = '''
 66process where host.os.type == "macos" and event.action == "exec" and
 67 process.name : "security" and
 68 process.args : ("-wa", "-ga") and process.args : ("find-generic-password", "find-internet-password") and
 69 process.command_line : ("*Chrome*", "*Chromium*", "*Opera*", "*Safari*", "*Brave*", "*Microsoft Edge*", "*Firefox*") and
 70 not process.parent.executable : "/Applications/Keeper Password Manager.app/Contents/Frameworks/Keeper Password Manager Helper*/Contents/MacOS/Keeper Password Manager Helper*"
 71'''
 72note = """## Triage and analysis
 73
 74> **Disclaimer**:
 75> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 76
 77### Investigating Keychain Password Retrieval via Command Line
 78
 79Keychain is macOS's secure storage system for managing user credentials, including passwords and certificates. Adversaries may exploit command-line tools to extract sensitive data from Keychain, targeting browsers like Chrome and Safari. The detection rule identifies suspicious command executions involving Keychain access, focusing on specific arguments and excluding legitimate applications, to flag potential credential theft attempts.
 80
 81### Possible investigation steps
 82
 83- Review the process execution details to confirm the presence of the 'security' command with arguments '-wa' or '-ga' and 'find-generic-password' or 'find-internet-password', as these indicate attempts to access Keychain data.
 84- Examine the command line for references to browsers such as Chrome, Safari, or others specified in the rule to determine if the target was browser-related credentials.
 85- Investigate the parent process of the suspicious command to ensure it is not a legitimate application, specifically checking that it is not the Keeper Password Manager, as this is excluded in the rule.
 86- Check the user account associated with the process execution to determine if the activity aligns with expected behavior for that user or if it suggests unauthorized access.
 87- Review recent login and access logs for the system to identify any unusual or unauthorized access patterns that could correlate with the suspicious Keychain access attempt.
 88- Assess the system for any additional indicators of compromise or related suspicious activities that might suggest a broader security incident.
 89
 90### False positive analysis
 91
 92- Legitimate password managers like Keeper Password Manager may trigger the rule due to their access to Keychain for managing user credentials. To handle this, ensure that the process parent executable path for such applications is added to the exclusion list.
 93- System maintenance or administrative scripts that access Keychain for legitimate purposes might be flagged. Review these scripts and, if verified as safe, add their specific command patterns to the exception list.
 94- Development or testing tools that interact with browsers and require Keychain access could cause false positives. Identify these tools and exclude their specific process names or command-line arguments if they are part of regular operations.
 95- Automated backup or synchronization services that access browser credentials stored in Keychain may be mistakenly identified. Confirm these services' legitimacy and exclude their associated processes from the detection rule.
 96
 97### Response and remediation
 98
 99- Immediately isolate the affected macOS system from the network to prevent further unauthorized access or data exfiltration.
100- Terminate any suspicious processes identified by the detection rule, particularly those involving the 'security' command with the specified arguments targeting browsers.
101- Conduct a thorough review of the system's keychain access logs to identify any unauthorized access attempts and determine the scope of the compromise.
102- Change all potentially compromised credentials stored in the keychain, including browser passwords and Wi-Fi credentials, and ensure they are updated across all relevant services.
103- Implement additional monitoring on the affected system and similar endpoints to detect any further attempts to access keychain data using command-line tools.
104- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the need for broader organizational response measures.
105- Review and update endpoint security configurations to restrict unauthorized access to keychain data and enhance logging for keychain-related activities."""
106
107
108[[rule.threat]]
109framework = "MITRE ATT&CK"
110[[rule.threat.technique]]
111id = "T1555"
112name = "Credentials from Password Stores"
113reference = "https://attack.mitre.org/techniques/T1555/"
114[[rule.threat.technique.subtechnique]]
115id = "T1555.001"
116name = "Keychain"
117reference = "https://attack.mitre.org/techniques/T1555/001/"
118
119
120[[rule.threat.technique]]
121id = "T1555"
122name = "Credentials from Password Stores"
123reference = "https://attack.mitre.org/techniques/T1555/"
124[[rule.threat.technique.subtechnique]]
125id = "T1555.003"
126name = "Credentials from Web Browsers"
127reference = "https://attack.mitre.org/techniques/T1555/003/"
128
129
130
131[rule.threat.tactic]
132id = "TA0006"
133name = "Credential Access"
134reference = "https://attack.mitre.org/tactics/TA0006/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Keychain Password Retrieval via Command Line

Keychain is macOS's secure storage system for managing user credentials, including passwords and certificates. Adversaries may exploit command-line tools to extract sensitive data from Keychain, targeting browsers like Chrome and Safari. The detection rule identifies suspicious command executions involving Keychain access, focusing on specific arguments and excluding legitimate applications, to flag potential credential theft attempts.

Possible investigation steps

  • Review the process execution details to confirm the presence of the 'security' command with arguments '-wa' or '-ga' and 'find-generic-password' or 'find-internet-password', as these indicate attempts to access Keychain data.
  • Examine the command line for references to browsers such as Chrome, Safari, or others specified in the rule to determine if the target was browser-related credentials.
  • Investigate the parent process of the suspicious command to ensure it is not a legitimate application, specifically checking that it is not the Keeper Password Manager, as this is excluded in the rule.
  • Check the user account associated with the process execution to determine if the activity aligns with expected behavior for that user or if it suggests unauthorized access.
  • Review recent login and access logs for the system to identify any unusual or unauthorized access patterns that could correlate with the suspicious Keychain access attempt.
  • Assess the system for any additional indicators of compromise or related suspicious activities that might suggest a broader security incident.

False positive analysis

  • Legitimate password managers like Keeper Password Manager may trigger the rule due to their access to Keychain for managing user credentials. To handle this, ensure that the process parent executable path for such applications is added to the exclusion list.
  • System maintenance or administrative scripts that access Keychain for legitimate purposes might be flagged. Review these scripts and, if verified as safe, add their specific command patterns to the exception list.
  • Development or testing tools that interact with browsers and require Keychain access could cause false positives. Identify these tools and exclude their specific process names or command-line arguments if they are part of regular operations.
  • Automated backup or synchronization services that access browser credentials stored in Keychain may be mistakenly identified. Confirm these services' legitimacy and exclude their associated processes from the detection rule.

Response and remediation

  • Immediately isolate the affected macOS system from the network to prevent further unauthorized access or data exfiltration.
  • Terminate any suspicious processes identified by the detection rule, particularly those involving the 'security' command with the specified arguments targeting browsers.
  • Conduct a thorough review of the system's keychain access logs to identify any unauthorized access attempts and determine the scope of the compromise.
  • Change all potentially compromised credentials stored in the keychain, including browser passwords and Wi-Fi credentials, and ensure they are updated across all relevant services.
  • Implement additional monitoring on the affected system and similar endpoints to detect any further attempts to access keychain data using command-line tools.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the need for broader organizational response measures.
  • Review and update endpoint security configurations to restrict unauthorized access to keychain data and enhance logging for keychain-related activities.

References

Related rules

to-top