Detect Keychain in Elastic Security
Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. Adversaries may gather user credentials from Keychain storage/memory using the security command-line utility (e.g., security dump-keychain -d), by directly reading Keychain database files from ~/Library/Keychains/, or programmatically via Keychain Services API functions like SecKeychainFindInternetPassword and SecItemCopyMatching.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1555 Credentials from Password Stores
- Sub-technique
- T1555.001 Keychain
- Canonical reference
- https://attack.mitre.org/techniques/T1555/001/
Elastic Detection Query
process where event.type == "start"
and host.os.type == "macos"
and (
(
process.name == "security"
and process.args : ("dump-keychain", "find-generic-password", "find-internet-password", "find-certificate")
)
or process.name == "keychaindump"
or process.command_line : ("*SecKeychainFindInternetPassword*", "*SecItemCopyMatching*", "*SecKeychainItemCopyAttributesAndData*")
or process.args : ("*/Library/Keychains/*", "*login.keychain*", "*login.keychain-db*", "*System.keychain*", "*keychain-2.db*")
)Detects macOS Keychain credential access via the security CLI utility, keychaindump tool, or Keychain Services API function references in process command lines using Elastic ECS process events.
Data Sources
Required Tables
False Positives & Tuning
- IT administrators running authorized keychain audits using the security CLI for credential inventory or rotation tasks
- Password manager desktop clients (1Password CLI, Bitwarden) accessing login.keychain-db during normal vault unlock or credential sync operations
- macOS application developers testing Keychain Services API integration (SecItemCopyMatching) on local development endpoints
- Certificate management automation scripts using security find-certificate to export code signing certs for CI/CD pipeline deployment
Other platforms for T1555.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Dump Login Keychain with security command
Expected signal: macOS Unified Log entry for /usr/bin/security process with 'dump-keychain -d' arguments. ESF process execution event. EDR process creation event with full command line.
- Test 2Extract specific password from Keychain
Expected signal: macOS Unified Log entry for /usr/bin/security with 'find-generic-password' and '-w' arguments. ESF Keychain item access event.
- Test 3Copy Keychain database file for offline extraction
Expected signal: ESF file copy event for login.keychain-db. Sysmon for macOS or EDR file creation event at destination path. macOS Unified Log may not capture this if only CLI cp is used.
References (6)
- https://attack.mitre.org/techniques/T1555/001/
- https://developer.apple.com/documentation/security/keychain_services
- https://www.netmeister.org/blog/keychain-passwords.html
- https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption
- https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md
Unlock Pro Content
Get the full detection package for T1555.001 including response playbook, investigation guide, and atomic red team tests.