Mac Attacks Along the Kill Chain: Credential Theft [VIDEO]


This blog is the third in a series from CrowdStrike’s RSA 2019 keynote, “Hacking Exposed: Hacking Macs,” where I joined CrowdStrike’s co-founders, CEO George Kurtz and CTO Dmitri Alperovitch, as we demonstrated real-world attacks against MacOS machines and networks. In this video, I demonstrate the third stage of an attack, “Credential Theft.” In my previous blogs, I focused on the first attack stage, “Delivery,” and the second stage, “Privilege Escalation.”

Hash Collection

In the first demo in this series, I showed how the Delivery stage of an attack is accomplished via a CustomURLScheme. We saw in the Privilege Escalation demo how attackers can gain root privileges to perform a number of different tasks — including “Credential Theft,” the subject of this blog.

Mimikatz — which Dmitri calls the “AK47 of cyber” — has become a popular tool for achieving credential theft in Windows environments. In fact, CrowdStrike has observed it in almost every Windows-based attack we’ve seen, regardless of the adversary. This is because Mimikatz is often able to hand the attacker plain-text passwords by pulling them from memory. Macs, however, present more of a challenge to attackers.

On Macs, login passwords are often stolen from the files located inside of the /var/db/dslocal/nodes/Default/users/ directory, where each user on the system has his own plist file. Inside this plist file is an entry titled “ShadowHashData,” which can be used to build a password hash.

Until recently, the “defaults” command was the most commonly used tool to access this hash data. However, Apple’s System Integrity Protection has started preventing processes from opening files within the /var/db/dslocal/nodes/Default/users/ directory. The most convenient way to access this data now is by using the dscl command, which is Apple’s go-to tool for various administrative tasks.

Walking Through an Attack

In the demo video, we show you what a  hash collector looks like as a Python script — here is how this stage unfolds:

  • First, the attacker uses the dscl command to dump all the data necessary to build a password hash.
  • Next, the attacker passes that data to the xxd command, which will greatly reduce the number of steps it would take to manually convert this hex data to a usable binary plist format.
  • Finally, the attacker converts the binary plist to xml so that it’s readable. He can now use the pieces of this xml to build a password hash.

Once this process is complete, an attacker can take the stolen password hash and plug it into something like OCLHashcat to perform a number of different password cracking techniques aimed at acquiring a plain-text password.


The video also addresses some countermeasure that can defend your organization against this stage of an attack. The following are recommendations for avoiding credential theft:

  • It’s critical to use strong passwords. This may sound like a simple prescriptive, but the more complex your passwords are, the harder they are to crack. If nothing else, having a strong password can buy you more time.
  • It’s also imperative that organizations include solutions such as endpoint detection and response (EDR), which can monitor and alert on activities such as hash dumping.
  • Ensure that your keychain password is different from your login password. This will keep attackers from decrypting the rest of the passwords in your keychain, should they manage to decrypt your login password.

Additional Resources


CrowdStrike Falcon Free Trial

Jaron Bradley

Jaron Bradley has a background in Host-Based Incident Response and has focused mainly on detected targeted attacks. Bradley is currently the youngest member of CrowdStrike’s Falcon Overwatch where he serves as one of the company’s top intrusion analysts, concentrates on OSX-based analysis, and plays a vital role in finding anomalous activity on customer networks.


Try CrowdStrike Free for 15 Days Get Started with A Free Trial