Detect Keychain in Splunk
Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. Adversaries may gather user credentials from Keychain storage/memory using the security command-line utility (e.g., security dump-keychain -d), by directly reading Keychain database files from ~/Library/Keychains/, or programmatically via Keychain Services API functions like SecKeychainFindInternetPassword and SecItemCopyMatching.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1555 Credentials from Password Stores
- Sub-technique
- T1555.001 Keychain
- Canonical reference
- https://attack.mitre.org/techniques/T1555/001/
SPL Detection Query
index=osxlog sourcetype="syslog" OR sourcetype="osquery:results"
("security" AND ("dump-keychain" OR "find-generic-password" OR "find-internet-password" OR "find-certificate"))
OR "keychaindump"
OR "SecKeychainFindInternetPassword"
OR "SecItemCopyMatching"
| eval CommandLine=coalesce(cmdline, columns.cmdline, _raw)
| eval KeychainDump=if(match(CommandLine, "dump-keychain"), 1, 0)
| eval PasswordQuery=if(match(CommandLine, "(find-generic-password|find-internet-password)"), 1, 0)
| eval CertExport=if(match(CommandLine, "find-certificate"), 1, 0)
| eval SuspicionScore=KeychainDump*3 + PasswordQuery + CertExport
| where SuspicionScore > 0
| table _time, host, user, CommandLine, KeychainDump, PasswordQuery, CertExport, SuspicionScore
| sort - _timeDetects macOS Keychain credential access via syslog and osquery telemetry. Scores events by severity — dump-keychain operations receive the highest weight as they indicate bulk credential extraction. Covers the security CLI, keychaindump tool, and Keychain Services API function calls.
Data Sources
Required Sourcetypes
False Positives & Tuning
- macOS developers using security command-line tool to manage certificates during code signing workflows
- IT automation scripts that query Keychain for WiFi or VPN credentials during device provisioning
- Backup software that reads Keychain files as part of system-level backup operations
Other platforms for T1555.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Dump Login Keychain with security command
Expected signal: macOS Unified Log entry for /usr/bin/security process with 'dump-keychain -d' arguments. ESF process execution event. EDR process creation event with full command line.
- Test 2Extract specific password from Keychain
Expected signal: macOS Unified Log entry for /usr/bin/security with 'find-generic-password' and '-w' arguments. ESF Keychain item access event.
- Test 3Copy Keychain database file for offline extraction
Expected signal: ESF file copy event for login.keychain-db. Sysmon for macOS or EDR file creation event at destination path. macOS Unified Log may not capture this if only CLI cp is used.
References (6)
- https://attack.mitre.org/techniques/T1555/001/
- https://developer.apple.com/documentation/security/keychain_services
- https://www.netmeister.org/blog/keychain-passwords.html
- https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption
- https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md
Unlock Pro Content
Get the full detection package for T1555.001 including response playbook, investigation guide, and atomic red team tests.