security #

Created by Pratik Jeware (@Pratik-987), Brendan Chamberlain (@infosecb)

Description ##

security is a command-line utility included in macOS that allows users to interact with the Keychain app. Keychains allow users to manager passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.

Paths ##

• /usr/bin/security

Use Cases ##

Dump credentials, keys, certificates, and other senstive information from Keychain ##

This command will dump keychain passwords from login.keychain

sudo security dump-keychain -d login.keychain

Retrieve Chrome’s “Chrome Safe Storage” password manager secret ##

This command will retrieve the Chrome Safe Storage password manager secret from the keychain.

security find-generic-password -w -s "Chrome Safe Storage"

Add an arbitrary trusted certificate to aid a MITM attack ##

This command will add a certificate to the keychain.

security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain bad_cert.crt

Detections ##

• Sigma: Credentials from Password Stores - Keychain

• Elastic: Access to Keychain Credentials Directories

• Elastic: Credential Access Dumping Keychain Security

• Elastic: Keychain Password Retrieval via Command Line

Resources ##

• Using the OS X Keychain to store and retrieve passwords

• SS64 security man page