T1555.001 Sumo Logic CSE · Sumo

Detect Keychain in Sumo Logic CSE

Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. Adversaries may gather user credentials from Keychain storage/memory using the security command-line utility (e.g., security dump-keychain -d), by directly reading Keychain database files from ~/Library/Keychains/, or programmatically via Keychain Services API functions like SecKeychainFindInternetPassword and SecItemCopyMatching.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1555 Credentials from Password Stores
Sub-technique
T1555.001 Keychain
Canonical reference
https://attack.mitre.org/techniques/T1555/001/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=macos* OR _sourceCategory=endpoint* OR _sourceCategory=osquery*)
| where _raw matches "*dump-keychain*"
  OR _raw matches "*find-generic-password*"
  OR _raw matches "*find-internet-password*"
  OR _raw matches "*find-certificate*"
  OR _raw matches "*keychaindump*"
  OR _raw matches "*SecKeychainFindInternetPassword*"
  OR _raw matches "*SecItemCopyMatching*"
  OR _raw matches "*SecKeychainItemCopyAttributesAndData*"
| parse regex "(?<CommandLine>(?:security|keychaindump)[^\n]*)" nodrop
| if (isNull(CommandLine), _raw, CommandLine) as CommandLine
| if (CommandLine matches "*dump-keychain*", "true", "false") as KeychainDump
| if (CommandLine matches "*find-generic-password*" OR CommandLine matches "*find-internet-password*", "true", "false") as PasswordQuery
| if (CommandLine matches "*find-certificate*", "true", "false") as CertExport
| if (CommandLine matches "*SecKeychainFindInternetPassword*" OR CommandLine matches "*SecItemCopyMatching*", "true", "false") as APIAbuse
| fields _messageTime, _sourceHost, CommandLine, KeychainDump, PasswordQuery, CertExport, APIAbuse
| sort by _messageTime desc
high severity medium confidence

Detects macOS Keychain credential access patterns in Sumo Logic by matching known-bad command substrings across macOS syslog and endpoint data, enriching results with per-technique classification flags.

Data Sources

macOS syslog forwarded via Sumo Logic Installed CollectorSumo Logic macOS Endpoint SourceOSQuery results via Sumo Logic OSQuery application

Required Tables

_sourceCategory=macos*_sourceCategory=endpoint*_sourceCategory=osquery*

False Positives & Tuning

  • Authorized security team running periodic keychain audits as part of credential hygiene assessments or pre-approved security exercises
  • macOS application installers or software updaters calling security find-certificate to verify code signing identity before installation proceeds
  • Developer workstations running automated integration tests for macOS applications that exercise the Keychain Services API
Download portable Sigma rule (.yml)

Other platforms for T1555.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Dump Login Keychain with security command

    Expected signal: macOS Unified Log entry for /usr/bin/security process with 'dump-keychain -d' arguments. ESF process execution event. EDR process creation event with full command line.

  2. Test 2Extract specific password from Keychain

    Expected signal: macOS Unified Log entry for /usr/bin/security with 'find-generic-password' and '-w' arguments. ESF Keychain item access event.

  3. Test 3Copy Keychain database file for offline extraction

    Expected signal: ESF file copy event for login.keychain-db. Sysmon for macOS or EDR file creation event at destination path. macOS Unified Log may not capture this if only CLI cp is used.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1555.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1555Credentials from Password Stores

Related Sub-techniques

T1555.002Securityd MemoryT1555.003Credentials from Web BrowsersT1555.004Windows Credential ManagerT1555.005Password ManagersT1555.006Cloud Secrets Management Stores

Related Techniques

T1555Credentials from Password StoresT1555.002Securityd MemoryT1003OS Credential DumpingT1552.001Credentials In FilesT1539Steal Web Session CookieT1056.001Keylogging

Same Tactic: Credential Access

Popular Detections