216.73.217.98

T1634.001: Keychain

View on MITRE ATT&CK The MITRE Corporation · Published 01/04/2022 17:01 · Modified 27/03/2026 01:41

Essential information

MITRE technique ID
T1634.001
Confidence
100/100
Revoked
No
Published
01/04/2022 17:01
Modified
27/03/2026 01:41
Author / Source
The MITRE Corporation

Platforms

iOS

Description

Adversaries may collect keychain data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials. On the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, adversaries can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain)

Kill chain phases

Kill chainPhase
mitre-mobile-attack credential-access

Marking (TLP)

Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references