cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38.json

{
    "type": "bundle",
    "id": "bundle--de75876b-4b73-4371-a4ba-cecda03cd3c6",
    "spec_version": "2.0",
    "objects": [
        {
            "x_mitre_platforms": [
                "iOS"
            ],
            "x_mitre_domains": [
                "mobile-attack"
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "type": "attack-pattern",
            "id": "attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38",
            "created": "2020-06-24T17:33:49.778Z",
            "x_mitre_version": "1.0",
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "external_id": "T1579",
                    "url": "https://attack.mitre.org/techniques/T1579"
                },
                {
                    "source_name": "Apple Keychain Services",
                    "url": "https://developer.apple.com/documentation/security/keychain_services",
                    "description": "Apple, Inc.. (n.d.). Keychain Services. Retrieved June 24, 2020."
                },
                {
                    "source_name": "Elcomsoft Decrypt Keychain",
                    "url": "https://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/",
                    "description": "V. Katalov. (2018, December 18). Six Ways to Decrypt iPhone Passwords from the Keychain. Retrieved June 24, 2020."
                },
                {
                    "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.html",
                    "source_name": "NIST Mobile Threat Catalogue",
                    "external_id": "AUT-11"
                }
            ],
            "x_mitre_deprecated": false,
            "revoked": true,
            "description": "Adversaries may collect the keychain storage data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials.\n\nOn the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, an adversary can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain)",
            "modified": "2022-04-01T15:02:43.470Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "name": "Keychain",
            "x_mitre_detection": "Mobile security products can potentially detect jailbroken devices and perform further actions as necessary.",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-mobile-attack",
                    "phase_name": "credential-access"
                }
            ],
            "x_mitre_is_subtechnique": false,
            "x_mitre_tactic_type": [
                "Post-Adversary Device Access"
            ],
            "x_mitre_attack_spec_version": "2.1.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
        }
    ]
}