Detect Keychain in IBM QRadar
Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. Adversaries may gather user credentials from Keychain storage/memory using the security command-line utility (e.g., security dump-keychain -d), by directly reading Keychain database files from ~/Library/Keychains/, or programmatically via Keychain Services API functions like SecKeychainFindInternetPassword and SecItemCopyMatching.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1555 Credentials from Password Stores
- Sub-technique
- T1555.001 Keychain
- Canonical reference
- https://attack.mitre.org/techniques/T1555/001/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
sourceip,
username,
hostname,
UTF8(payload) AS RawEvent
FROM events
WHERE (
(
UTF8(payload) ILIKE '%security%'
AND (
UTF8(payload) ILIKE '%dump-keychain%'
OR UTF8(payload) ILIKE '%find-generic-password%'
OR UTF8(payload) ILIKE '%find-internet-password%'
OR UTF8(payload) ILIKE '%find-certificate%'
)
)
OR UTF8(payload) ILIKE '%keychaindump%'
OR UTF8(payload) ILIKE '%SecKeychainFindInternetPassword%'
OR UTF8(payload) ILIKE '%SecItemCopyMatching%'
OR UTF8(payload) ILIKE '%SecKeychainItemCopyAttributesAndData%'
)
AND starttime > NOW() - 86400000
ORDER BY starttime DESCDetects macOS Keychain credential dumping activity via payload pattern matching across syslog and endpoint data sources ingested into QRadar. Matches security CLI subcommands and known Keychain API function names in raw log payloads.
Data Sources
Required Tables
False Positives & Tuning
- Authorized IT helpdesk automation using security find-generic-password to retrieve stored service account credentials from keychain for managed systems
- CI/CD pipeline scripts using security find-certificate to export code signing certificates for build automation and notarization
- macOS MDM enrollment and management agents accessing System.keychain during device provisioning or certificate push operations
Other platforms for T1555.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Dump Login Keychain with security command
Expected signal: macOS Unified Log entry for /usr/bin/security process with 'dump-keychain -d' arguments. ESF process execution event. EDR process creation event with full command line.
- Test 2Extract specific password from Keychain
Expected signal: macOS Unified Log entry for /usr/bin/security with 'find-generic-password' and '-w' arguments. ESF Keychain item access event.
- Test 3Copy Keychain database file for offline extraction
Expected signal: ESF file copy event for login.keychain-db. Sysmon for macOS or EDR file creation event at destination path. macOS Unified Log may not capture this if only CLI cp is used.
References (6)
- https://attack.mitre.org/techniques/T1555/001/
- https://developer.apple.com/documentation/security/keychain_services
- https://www.netmeister.org/blog/keychain-passwords.html
- https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption
- https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md
Unlock Pro Content
Get the full detection package for T1555.001 including response playbook, investigation guide, and atomic red team tests.