T1555.001 Microsoft Sentinel · KQL

Detect Keychain in Microsoft Sentinel

Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. Adversaries may gather user credentials from Keychain storage/memory using the security command-line utility (e.g., security dump-keychain -d), by directly reading Keychain database files from ~/Library/Keychains/, or programmatically via Keychain Services API functions like SecKeychainFindInternetPassword and SecItemCopyMatching.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1555 Credentials from Password Stores
Sub-technique
T1555.001 Keychain
Canonical reference
https://attack.mitre.org/techniques/T1555/001/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let KeychainCommands = dynamic(["dump-keychain", "find-generic-password", "find-internet-password", "find-certificate", "export -k", "SecKeychainFindInternetPassword", "SecKeychainItemCopyAttributesAndData", "SecItemCopyMatching", "keychaindump"]);
let KeychainFiles = dynamic(["login.keychain", "login.keychain-db", "System.keychain", "/Library/Keychains/", "keychain-2.db"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (KeychainCommands)
    or (FileName =~ "security" and ProcessCommandLine has_any ("dump-keychain", "find-generic-password", "find-internet-password", "find-certificate"))
| extend KeychainDump = ProcessCommandLine has "dump-keychain"
| extend PasswordQuery = ProcessCommandLine has_any ("find-generic-password", "find-internet-password")
| extend CertExport = ProcessCommandLine has "find-certificate"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         KeychainDump, PasswordQuery, CertExport
| sort by Timestamp desc
high severity high confidence

Detects macOS Keychain credential access using the security command-line utility and known Keychain dump tools. Identifies dump-keychain operations, password queries via find-generic-password/find-internet-password, certificate exports, and use of keychaindump. Covers techniques used by Empire, LaZagne, BeaverTail, and Cuckoo Stealer on macOS.

Data Sources

Process: Process CreationCommand: Command ExecutionFile: File Access

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • macOS developers using security command-line tool to manage certificates during code signing workflows
  • IT automation scripts that query Keychain for WiFi or VPN credentials during device provisioning
  • Backup software that reads Keychain files as part of system-level backup operations
  • Apple software update processes that interact with the System Keychain
Download portable Sigma rule (.yml)

Other platforms for T1555.001

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Dump Login Keychain with security command

    Expected signal: macOS Unified Log entry for /usr/bin/security process with 'dump-keychain -d' arguments. ESF process execution event. EDR process creation event with full command line.

  2. Test 2Extract specific password from Keychain

    Expected signal: macOS Unified Log entry for /usr/bin/security with 'find-generic-password' and '-w' arguments. ESF Keychain item access event.

  3. Test 3Copy Keychain database file for offline extraction

    Expected signal: ESF file copy event for login.keychain-db. Sysmon for macOS or EDR file creation event at destination path. macOS Unified Log may not capture this if only CLI cp is used.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1555.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1555Credentials from Password Stores

Related Sub-techniques

T1555.002Securityd MemoryT1555.003Credentials from Web BrowsersT1555.004Windows Credential ManagerT1555.005Password ManagersT1555.006Cloud Secrets Management Stores

Related Techniques

T1555Credentials from Password StoresT1555.002Securityd MemoryT1003OS Credential DumpingT1552.001Credentials In FilesT1539Steal Web Session CookieT1056.001Keylogging

Same Tactic: Credential Access

Popular Detections