User foothold → keychain dump → cloud creds

§ Context

Assumed environment: foothold as the desktop user (no root). User has Safari saved logins + dev creds in their login.keychain. Their account password is weak or known via prior compromise.

§ Steps

1. 01
   Use harvested cloud / SSO credsInitial Access

   T1078— Valid Accounts
2. 02
   User shellInitial Access

   T1078— Valid Accounts
3. 03
   security dump-keychain / chainbreakerCredential Access

   T1552— Unsecured Credentials
4. 04
   Locate ~/Library/Keychains/login.keychain-dbDiscovery

   T1083— File and Directory Discovery
5. 05
   Crack master with ChainBreakerCredential Access

   MAC-KEYCHAIN-DUMP— macOS Keychain Dump

§ References

• T1078Valid Accounts
• T1552Unsecured Credentials
• T1083File and Directory Discovery

§ Frequently asked

What is the "User foothold → keychain dump → cloud creds" attack path?

Standard user shell on macOS. Brute the login.keychain master via ChainBreaker / a keylogged password; dump all entries — Safari saved creds, AWS keys, Slack tokens, SSO cookies. It chains 5 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Use harvested cloud / SSO creds (T1078) — a initial access primitive. Assumed environment: foothold as the desktop user (no root).

What is the final impact of this kill-chain?

The final step lands on Crack master with ChainBreaker (MAC-KEYCHAIN-DUMP), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques3

  Exported ContentProvider → private data leak

  App exports a ContentProvider for legitimate inter-app integration but forgets to enforce grantUri / signature permissions — a rogue installed app reads private auth tokens.

• Shared techniques2

  Evil maid → sniff TPM unseal → decrypt BitLocker offline

  Brief physical access to a TPM-only BitLocker laptop. Plug a logic analyser onto the LPC / SPI bus; capture the FVEK as the TPM unseals it at boot. Take the disk home, decrypt offline.

• Shared techniques2

  Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)

  Attacker compromised a single LastPass DevOps engineer's home machine via outdated Plex Media Server, harvested AWS keys for the encrypted-vault backup bucket, exfiltrated production vault data.

• Shared techniques2

  F5 BIG-IP iControl auth bypass (CVE-2022-1388) → root on LB

  Connection-header smuggle bypasses iControl REST auth, command-injection RCE as root. Load balancers see all traffic — recover TLS keys, session cookies, internal SSO config.

• Shared techniques2

  Spectre-class side-channel → cross-tenant memory leak

  Pre-mitigation cloud VM lets a co-tenant trigger speculative loads from kernel / sibling-VM memory. Cache-side-channel measurements recover sensitive data, including TLS keys + cloud creds.

• Shared techniques2

  BLE eavesdrop + replay → smart lock open

  Smart lock uses BLE Just-Works pairing + plaintext 'unlock' opcode. Sniff once with a nRF52 in monitor mode, replay later from a $10 device.