Keychain

let KeychainCommands = dynamic(["dump-keychain", "find-generic-password", "find-internet-password", "find-certificate", "export -k", "SecKeychainFindInternetPassword", "SecKeychainItemCopyAttributesAndData", "SecItemCopyMatching", "keychaindump"]);
let KeychainFiles = dynamic(["login.keychain", "login.keychain-db", "System.keychain", "/Library/Keychains/", "keychain-2.db"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (KeychainCommands)
    or (FileName =~ "security" and ProcessCommandLine has_any ("dump-keychain", "find-generic-password", "find-internet-password", "find-certificate"))
| extend KeychainDump = ProcessCommandLine has "dump-keychain"
| extend PasswordQuery = ProcessCommandLine has_any ("find-generic-password", "find-internet-password")
| extend CertExport = ProcessCommandLine has "find-certificate"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         KeychainDump, PasswordQuery, CertExport
| sort by Timestamp desc

index=osxlog sourcetype="syslog" OR sourcetype="osquery:results"
  ("security" AND ("dump-keychain" OR "find-generic-password" OR "find-internet-password" OR "find-certificate"))
  OR "keychaindump"
  OR "SecKeychainFindInternetPassword"
  OR "SecItemCopyMatching"
| eval CommandLine=coalesce(cmdline, columns.cmdline, _raw)
| eval KeychainDump=if(match(CommandLine, "dump-keychain"), 1, 0)
| eval PasswordQuery=if(match(CommandLine, "(find-generic-password|find-internet-password)"), 1, 0)
| eval CertExport=if(match(CommandLine, "find-certificate"), 1, 0)
| eval SuspicionScore=KeychainDump*3 + PasswordQuery + CertExport
| where SuspicionScore > 0
| table _time, host, user, CommandLine, KeychainDump, PasswordQuery, CertExport, SuspicionScore
| sort - _time

process where event.type == "start"
  and host.os.type == "macos"
  and (
    (
      process.name == "security"
      and process.args : ("dump-keychain", "find-generic-password", "find-internet-password", "find-certificate")
    )
    or process.name == "keychaindump"
    or process.command_line : ("*SecKeychainFindInternetPassword*", "*SecItemCopyMatching*", "*SecKeychainItemCopyAttributesAndData*")
    or process.args : ("*/Library/Keychains/*", "*login.keychain*", "*login.keychain-db*", "*System.keychain*", "*keychain-2.db*")
  )

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip,
  username,
  hostname,
  UTF8(payload) AS RawEvent
FROM events
WHERE (
  (
    UTF8(payload) ILIKE '%security%'
    AND (
      UTF8(payload) ILIKE '%dump-keychain%'
      OR UTF8(payload) ILIKE '%find-generic-password%'
      OR UTF8(payload) ILIKE '%find-internet-password%'
      OR UTF8(payload) ILIKE '%find-certificate%'
    )
  )
  OR UTF8(payload) ILIKE '%keychaindump%'
  OR UTF8(payload) ILIKE '%SecKeychainFindInternetPassword%'
  OR UTF8(payload) ILIKE '%SecItemCopyMatching%'
  OR UTF8(payload) ILIKE '%SecKeychainItemCopyAttributesAndData%'
)
AND starttime > NOW() - 86400000
ORDER BY starttime DESC

(_sourceCategory=macos* OR _sourceCategory=endpoint* OR _sourceCategory=osquery*)
| where _raw matches "*dump-keychain*"
  OR _raw matches "*find-generic-password*"
  OR _raw matches "*find-internet-password*"
  OR _raw matches "*find-certificate*"
  OR _raw matches "*keychaindump*"
  OR _raw matches "*SecKeychainFindInternetPassword*"
  OR _raw matches "*SecItemCopyMatching*"
  OR _raw matches "*SecKeychainItemCopyAttributesAndData*"
| parse regex "(?<CommandLine>(?:security|keychaindump)[^\n]*)" nodrop
| if (isNull(CommandLine), _raw, CommandLine) as CommandLine
| if (CommandLine matches "*dump-keychain*", "true", "false") as KeychainDump
| if (CommandLine matches "*find-generic-password*" OR CommandLine matches "*find-internet-password*", "true", "false") as PasswordQuery
| if (CommandLine matches "*find-certificate*", "true", "false") as CertExport
| if (CommandLine matches "*SecKeychainFindInternetPassword*" OR CommandLine matches "*SecItemCopyMatching*", "true", "false") as APIAbuse
| fields _messageTime, _sourceHost, CommandLine, KeychainDump, PasswordQuery, CertExport, APIAbuse
| sort by _messageTime desc

rule T1555_001_Keychain_Access {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects macOS Keychain credential access via security CLI, keychaindump binary, or Keychain Services API abuse in process command lines"
    severity = "HIGH"
    mitre_attack = "T1555.001"
    platform = "macOS"
    created = "2026-04-13"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      (
        re.regex($e.target.process.file.full_path, `/security$`) and
        re.regex($e.target.process.command_line, `(dump-keychain|find-generic-password|find-internet-password|find-certificate)`)
      ) or
      re.regex($e.target.process.file.full_path, `keychaindump`) or
      re.regex($e.target.process.command_line, `(keychaindump|SecKeychainFindInternetPassword|SecItemCopyMatching|SecKeychainItemCopyAttributesAndData)`) or
      re.regex($e.target.process.command_line, `Library/Keychains`)
    )

  condition:
    $e
}

#event_simpleName = "ProcessRollup2"
| FileName = /^(security|keychaindump)$/i OR CommandLine = /(dump-keychain|find-generic-password|find-internet-password|find-certificate|keychaindump|SecKeychainFindInternetPassword|SecItemCopyMatching|SecKeychainItemCopyAttributesAndData)/i OR CommandLine = /Library.Keychains/i
| KeychainDump := if(CommandLine=~/dump-keychain/i, 1, 0)
| PasswordQuery := if(CommandLine=~/(find-generic-password|find-internet-password)/i, 1, 0)
| CertExport := if(CommandLine=~/find-certificate/i, 1, 0)
| SuspicionScore := KeychainDump*3 + PasswordQuery + CertExport
| SuspicionScore > 0
| table([timestamp, ComputerName, UserName, FileName, CommandLine, KeychainDump, PasswordQuery, CertExport, SuspicionScore])
| sort(timestamp, order=desc)