T1555.001 Google Chronicle · YARA-L

Detect Keychain in Google Chronicle

Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. Adversaries may gather user credentials from Keychain storage/memory using the security command-line utility (e.g., security dump-keychain -d), by directly reading Keychain database files from ~/Library/Keychains/, or programmatically via Keychain Services API functions like SecKeychainFindInternetPassword and SecItemCopyMatching.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1555 Credentials from Password Stores
Sub-technique
T1555.001 Keychain
Canonical reference
https://attack.mitre.org/techniques/T1555/001/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule T1555_001_Keychain_Access {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects macOS Keychain credential access via security CLI, keychaindump binary, or Keychain Services API abuse in process command lines"
    severity = "HIGH"
    mitre_attack = "T1555.001"
    platform = "macOS"
    created = "2026-04-13"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      (
        re.regex($e.target.process.file.full_path, `/security$`) and
        re.regex($e.target.process.command_line, `(dump-keychain|find-generic-password|find-internet-password|find-certificate)`)
      ) or
      re.regex($e.target.process.file.full_path, `keychaindump`) or
      re.regex($e.target.process.command_line, `(keychaindump|SecKeychainFindInternetPassword|SecItemCopyMatching|SecKeychainItemCopyAttributesAndData)`) or
      re.regex($e.target.process.command_line, `Library/Keychains`)
    )

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 detection rule for macOS Keychain credential theft via the security CLI, keychaindump binary, or Keychain Services API references in process command lines, using UDM PROCESS_LAUNCH events with target process field inspection.

Data Sources

Chronicle Endpoint Telemetry (macOS via Chronicle Forwarder)CrowdStrike Falcon events forwarded to Chronicle via ingestion pipelineGoogle Workspace Endpoint Verification audit events

Required Tables

UDM PROCESS_LAUNCH events

False Positives & Tuning

  • Legitimate macOS MDM or security management solutions invoking the security CLI for certificate inventory as part of device compliance enforcement
  • Password manager desktop applications (e.g., 1Password, Dashlane) using Keychain Services API during account unlock or credential synchronization
  • macOS system processes or Apple Migration Assistant accessing Library/Keychains/ during account migration or iCloud Keychain synchronization
Download portable Sigma rule (.yml)

Other platforms for T1555.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Dump Login Keychain with security command

    Expected signal: macOS Unified Log entry for /usr/bin/security process with 'dump-keychain -d' arguments. ESF process execution event. EDR process creation event with full command line.

  2. Test 2Extract specific password from Keychain

    Expected signal: macOS Unified Log entry for /usr/bin/security with 'find-generic-password' and '-w' arguments. ESF Keychain item access event.

  3. Test 3Copy Keychain database file for offline extraction

    Expected signal: ESF file copy event for login.keychain-db. Sysmon for macOS or EDR file creation event at destination path. macOS Unified Log may not capture this if only CLI cp is used.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1555.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1555Credentials from Password Stores

Related Sub-techniques

T1555.002Securityd MemoryT1555.003Credentials from Web BrowsersT1555.004Windows Credential ManagerT1555.005Password ManagersT1555.006Cloud Secrets Management Stores

Related Techniques

T1555Credentials from Password StoresT1555.002Securityd MemoryT1003OS Credential DumpingT1552.001Credentials In FilesT1539Steal Web Session CookieT1056.001Keylogging

Same Tactic: Credential Access

Popular Detections