← Library
splApache-2.0from splunk/security_content

MacOS Keychains Dumped

Detects command-line attempts to access or dump macOS Keychain files. Adversaries may use native utilities or direct file access to extract plaintext credentials from Keychain databases located in ~/Library/Keychains/ or /Library/Keychains/. This technique is commonly associated with post-exploitation credential harvesting, where an attacker with local access seeks to escalate privileges or move laterally by obtaining stored credentials for applications, Wi-Fi networks, and system services.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/macos_keychains_dumped.yml
| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

from datamodel=Endpoint.Processes where

Processes.process IN (
    "*dump-keychain -d*",
    "*keychaindump*"
)

Processes.process="*/library/keychains*"

by Processes.dest Processes.original_file_name Processes.parent_process_id
   Processes.process Processes.process_exec Processes.process_guid
   Processes.process_hash Processes.process_id
   Processes.process_current_directory Processes.process_name
   Processes.process_path Processes.user
   Processes.user_id Processes.vendor_product

| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `macos_keychains_dumped_filter`