DET0396 Detect Access to macOS Keychain for Credential Theft

Item	Value
ID	DET0396
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1555.001 (Keychain)

Analytics

macOS

AN1112

Detects suspicious access to macOS Keychain files and APIs. Observes processes invoking the ‘security’ utility or accessing Keychain databases directly, correlates these with abnormal parent process lineage or unexpected user context. Monitors attempts to dump, unlock, or read credential storage beyond normal application workflows.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	macos:unifiedlog	execution of security or osascript
OS API Execution (DC0021)	macos:unifiedlog	access or unlock attempt to keychain database
File Access (DC0055)	macos:unifiedlog	read access to ~/Library/Keychains/login.keychain-db

Mutable Elements

Field	Description
AllowedApplications	Whitelist of applications (e.g., Safari, Mail) normally permitted to access Keychain
AlertThreshold	Number of failed keychain unlock attempts before raising an alert
ParentProcessContext	Legitimate parent-child process relationships for security tool invocations