Home/ATT&CK Technique/Keychain
ATT&CK Technique

Keychain

T1555.001 · credential-access

Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain.

The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service.

Keychains can be viewed and edited through the Keychain Access application or using the command-line utility security. Keychain files are located in ~/Library/Keychains/, /Library/Keychains/, and /Network/Library/Keychains/. Adversaries may gather user credentials from Keychain storage/memory.

For example, the command security dump-keychain -d will dump all Login Keychain credentials from ~/Library/Keychains/login.keychain-db. Adversaries may also directly read Login Keychain credentials from the ~/Library/Keychains/login.keychain file. Both methods require a password, where the default password for the Login Keychain is the current user’s password to login to the macOS host.

macOS

Actors Using This

9
israel_private_sector_mobile_forensics_cyber_mercenaryCellebrite
multinational_commercial_cyber_mercenaryIntellexa / Predator / Cytrox
north_koreaJade Sleet / TraderTraitor / UNC4899 / Pressure Chollima
predominantly_english_speaking_youth_organized_crimeLAPSUS$
israel_commercial_cyber_mercenaryNSO Group / Pegasus
unattributed_apt_nation_state_speculationOperation Triangulation
israel_commercial_cyber_mercenaryParagon Solutions / Graphite
israel_commercial_cyber_mercenaryQuaDream / Reign
north_koreaSapphire Sleet

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
resource-development earlier
T1585.003 · Cloud Accounts ×6.22T1587.002 · Code Signing Certificates ×4.27T1587.004 · Exploits ×2.99
initial-access earlier
T1659 · Content Injection ×12.02T1566.003 · Spearphishing via Service ×2.98
execution earlier
T1059.006 · Python ×5.29
persistence earlier
T1543.001 · Launch Agent ×14.42T1543.004 · Launch Daemon ×11.75
credential-access same
T1606 · Forge Web Credentials ×9.92T1557 · Adversary-in-the-Middle ×6.30
collection later
T1430 · Location Tracking ×7.93T1125 · Video Capture ×6.96T1123 · Audio Capture ×6.30
exfiltration later
T1020 · Automated Exfiltration ×3.47T1029 · Scheduled Transfer ×2.68

Atomic Tests

4
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
shelevatedmacosKeychain Dump
This command will dump keychain credential information from login.keychain. Source: https://www.loobins.io/binaries/security/ ### Keychain File path ~/Library/Keychains/ /Library/Keychains/ /Network/Library/Keychains/ [Security Reference](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html) 
sudo security dump-keychain -d login.keychain
shmacosExport Certificate Item(s)
This command finds all certificate items and sends the output to local file in pem format. 
security find-certificate -a -p > #{cert_export}
shmacosImport Certificate Item(s) into Keychain
This command will import a certificate pem file into a keychain. 
security import #{cert_export} -k
shmacosCopy Keychain using cat utility
This command will copy the keychain using the cat utility in a manner similar to Atomic Stealer. 
cat ~/Library/Keychains/login.keychain-db > #{keychain_export}

Mitigations

1
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1027Password Policies

Set and enforce secure password policies for accounts to reduce the likelihood of unauthorized access. Strong password policies include enforcing password complexity, requiring regular password changes, and preventing password reuse.

Windows Systems
Use Group Policy Management Console (GPMC) to configure
  • Minimum password length (e.g., 12+ characters).
  • Password complexity requirements.
  • Password history (e.g., disallow last 24 passwords).
  • Account lockout duration and thresholds.
Linux Systems
Configure Pluggable Authentication Modules (PAM)
  • Use pam_pwquality to enforce complexity and length requirements.
  • Implement pam_tally2 or pam_faillock for account lockouts.
  • Use pwunconv to disable password reuse.
Password Managers
  • Enforce usage of enterprise password managers (e.g., Bitwarden, 1Password, LastPass) to generate and store strong passwords.
Password Blacklisting
  • Use tools like Have I Been Pwned password checks or NIST-based blacklist solutions to prevent users from setting compromised passwords.
Regular Auditing
  • Periodically audit password policies and account configurations to ensure compliance using tools like LAPS (Local Admin Password Solution) and vulnerability scanners.
Tools for Implementation Windows
  • Group Policy Management Console (GPMC): Enforce password policies.
  • Microsoft Local Administrator Password Solution (LAPS): Enforce random, unique admin passwords.
Linux/macOS
  • PAM Modules (pam_pwquality, pam_tally2, pam_faillock): Enforce password rules.
  • Lynis: Audit password policies and system configurations.
Cross-Platform
  • Password Managers (Bitwarden, 1Password, KeePass): Manage and enforce strong passwords.
  • Have I Been Pwned API: Prevent the use of breached passwords.
  • NIST SP 800-63B compliant tools: Enforce password guidelines and blacklisting.

Detection Coverage

1/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 1
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

Comply & Defend

NIST 800-53CA-07, IA-05, SI-04
D3FEND2 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin