Techniques
Sample rules
MacOS Keychains Dumped
- source: splunk
- technicques:
- T1555.001
Description
Detects command-line attempts to access or dump macOS Keychain data using native utilities or direct file access.
This includes credential dumping via the security utility (e.g. dump-keychain -d), bulk certificate export using security find-certificate, and direct file copying of Keychain database files using utilities such as cat.
Keychain files are located in ~/Library/Keychains/, /Library/Keychains/, and /Network/Library/Keychains/.
This technique is commonly associated with post-exploitation credential harvesting, where an attacker with local access seeks to escalate privileges or move laterally by obtaining stored credentials for applications, Wi-Fi networks, system services, and certificates.
Detection logic
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
values(Processes.parent_process) AS parent_process
values(Processes.parent_process_exec) AS parent_process_exec
values(Processes.parent_process_id) AS parent_process_id
values(Processes.parent_process_name) AS parent_process_name
values(Processes.parent_process_path) AS parent_process_path
FROM datamodel=Endpoint.Processes WHERE
(
Processes.process_path="/usr/bin/security"
AND
(
(
Processes.process="*dump-keychain*"
Processes.process="*-d*"
)
OR
(
Processes.process="*find-certificate*"
Processes.process="*-p*"
)
)
)
OR
Processes.process="*keychaindump*"
OR
(
Processes.process_name IN (
"cat",
"cp",
"dd",
"mv"
)
Processes.process="*Library/Keychains/*"
Processes.process="*.keychain*"
)
by Processes.action Processes.dest Processes.process Processes.process_hash
Processes.process_id Processes.process_name Processes.process_path
Processes.user Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `macos_keychains_dumped_filter`