ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩、戴亦仑 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices


术语表: /attack/glossary


在El Capitan之前的OS X中,具有root访问权限的用户可以读取已登录用户的纯文本密钥链密码,因为Apple的密钥链实现允许缓存这些凭据,因此不会反复提示用户输入密码。 Apple的安全实用程序获取用户的登录密码,并使用PBKDF2对其进行加密,然后将该主密钥存储在内存中。苹果还使用一组密钥和算法来加密用户密码,但是一旦找到主密钥,攻击者只需遍历其他值即可解锁最终密码。


In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords. Apple’s securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an attacker need only iterate over the other values to unlock the final password.

If an adversary can obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain. This provides the adversary with all the plaintext passwords for users, WiFi, mail, browsers, certificates, secure notes, etc.


ID编号: T1167

策略: 凭证访问

平台: macOS

所需权限: root

数据源: 过程监控


名称 描述
Keydnap (S0276) Keydnap (S0276)使用keychaindump项目读取安全内存。
Name Description
Keydnap (S0276) Keydnap (S0276) uses the keychaindump project to read securityd memory.



This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.