title: Keychain (T1555.001)
id: df00tech-t1555-001
status: experimental
description: "Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. Adversaries may gather user credentials from Keychain storage/memory using the security command-line utility (e.g., security dump-keychain -d), by directly reading Keychain database files from ~/Library/Keychains/, or programmatically via Keychain Services API functions like SecKeychainFindInternetPassword and SecItemCopyMatching."
references:
  - https://attack.mitre.org/techniques/T1555/001/
  - https://df00tech.com/detections/T1555.001
author: df00tech
date: 2026/04/13
tags:
  - attack.t1555.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - macOS developers using security command-line tool to manage certificates during code signing workflows
  - IT automation scripts that query Keychain for WiFi or VPN credentials during device provisioning
  - Backup software that reads Keychain files as part of system-level backup operations
  - Apple software update processes that interact with the System Keychain
level: high