Detect Keychain in CrowdStrike LogScale
Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. Adversaries may gather user credentials from Keychain storage/memory using the security command-line utility (e.g., security dump-keychain -d), by directly reading Keychain database files from ~/Library/Keychains/, or programmatically via Keychain Services API functions like SecKeychainFindInternetPassword and SecItemCopyMatching.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1555 Credentials from Password Stores
- Sub-technique
- T1555.001 Keychain
- Canonical reference
- https://attack.mitre.org/techniques/T1555/001/
LogScale Detection Query
#event_simpleName = "ProcessRollup2"
| FileName = /^(security|keychaindump)$/i OR CommandLine = /(dump-keychain|find-generic-password|find-internet-password|find-certificate|keychaindump|SecKeychainFindInternetPassword|SecItemCopyMatching|SecKeychainItemCopyAttributesAndData)/i OR CommandLine = /Library.Keychains/i
| KeychainDump := if(CommandLine=~/dump-keychain/i, 1, 0)
| PasswordQuery := if(CommandLine=~/(find-generic-password|find-internet-password)/i, 1, 0)
| CertExport := if(CommandLine=~/find-certificate/i, 1, 0)
| SuspicionScore := KeychainDump*3 + PasswordQuery + CertExport
| SuspicionScore > 0
| table([timestamp, ComputerName, UserName, FileName, CommandLine, KeychainDump, PasswordQuery, CertExport, SuspicionScore])
| sort(timestamp, order=desc)CrowdStrike LogScale detection for macOS Keychain credential access via ProcessRollup2 events, matching the security utility with credential-dumping subcommands, the keychaindump tool, or Keychain API function references, scored by technique specificity.
Data Sources
Required Tables
False Positives & Tuning
- Authorized red team or penetration testing exercises using keychaindump as part of an agreed-scope engagement on managed macOS endpoints
- macOS system administrator automation scripts using security find-internet-password for managed service credential retrieval in approved operational runbooks
- Software development CI/CD pipelines running Keychain Services API integration tests on enrolled developer macOS endpoints registered in Falcon
Other platforms for T1555.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Dump Login Keychain with security command
Expected signal: macOS Unified Log entry for /usr/bin/security process with 'dump-keychain -d' arguments. ESF process execution event. EDR process creation event with full command line.
- Test 2Extract specific password from Keychain
Expected signal: macOS Unified Log entry for /usr/bin/security with 'find-generic-password' and '-w' arguments. ESF Keychain item access event.
- Test 3Copy Keychain database file for offline extraction
Expected signal: ESF file copy event for login.keychain-db. Sysmon for macOS or EDR file creation event at destination path. macOS Unified Log may not capture this if only CLI cp is used.
References (6)
- https://attack.mitre.org/techniques/T1555/001/
- https://developer.apple.com/documentation/security/keychain_services
- https://www.netmeister.org/blog/keychain-passwords.html
- https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption
- https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md
Unlock Pro Content
Get the full detection package for T1555.001 including response playbook, investigation guide, and atomic red team tests.