Query Details
Mac OS Keychain Dump Via Security CLI
Query
# *macOS Keychain Dump via security CLI*
## Query Information
#### MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
| --- | --- | --- |
| T1555.001 | Credentials from Password Stores: Keychain | https://attack.mitre.org/techniques/T1555/001|
#### Description
This query detects attempts to dump macOS Keychain credentials using the native security command-line tool with the dump-keychain -d flag, which exports stored passwords in cleartext. It focuses on high-fidelity scenarios where the dump is initiated by a suspicious parent process such as shell interpreters (bash, zsh, python) or known post-exploitation tools or by unsigned binaries executing from staging directories like /tmp/, Downloads, or hidden home directories. Legitimate MDM and management tools are excluded to reduce noise. Repeated dump attempts by the same account are aggregated and scored by risk level, helping analysts prioritize automated credential harvesting over isolated accidental executions.
#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**
#### Possible false positives
- Legitimate administrative tools (e.g., MDM solutions like Jamf, Kandji, Mosyleclient) performing keychain operations.
- Developers or system administrators legitimately using scripting languages (python, ruby, perl, etc.) for system management tasks that involve keychain access.
- Accidental or benign execution of 'security dump-keychain' by a user or script, especially if not repeated.
## Defender XDR
```KQL
let SuspiciousParents = dynamic([
"bash", "sh", "zsh", "python", "python3", "ruby",
"perl", "osascript", "curl", "wget", "nc", "ncat"
]);
let LegitimateAdminTools = dynamic([
"Jamf", "kandji", "mosyleclient", "nudge", "munkimanager"
]);
DeviceProcessEvents
| where FileName =~ "security"
| where ProcessCommandLine has_all ("dump-keychain", "-d")
// Scope: macOS devices
| where FolderPath startswith "/usr/bin/security"
or FolderPath startswith "/bin/security"
// Initiating process: suspicious interpreters or unsigned binaries
| where InitiatingProcessFileName in~ (SuspiciousParents)
or (
InitiatingProcessSignerType == "None"
and not(InitiatingProcessFolderPath startswith "/Applications/")
)
// Whitelisting legitimate MDM tools
| where not(InitiatingProcessFileName has_any (LegitimateAdminTools))
// Execution from known staging paths
| where InitiatingProcessFolderPath has_any (
"/tmp/", "/var/folders/", "/private/tmp/",
"/Users/Shared/", "/Library/Caches/",
"Downloads", ".Trash"
)
or (
InitiatingProcessFolderPath matches regex @"/Users/[^/]+/\.[^/]+"
// Hidden directory under home
)
// Temporal clustering: same account performs multiple dumps in a short time
| summarize
DumpCount = count(),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated),
CommandLines = make_set(ProcessCommandLine, 10),
InitiatingProcesses = make_set(strcat(InitiatingProcessFileName, " | ", InitiatingProcessFolderPath), 5)
by DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessSignerType
| where DumpCount >= 1
// Optional: for repeated dumps only, increase to >= 2 for high-fidelity-only mode
| extend
RiskScore = case(
InitiatingProcessFileName in~ (SuspiciousParents) and DumpCount >= 2, "Critical",
InitiatingProcessSignerType == "None" and DumpCount >= 2, "High",
InitiatingProcessFileName in~ (SuspiciousParents), "High",
InitiatingProcessSignerType == "None", "Medium",
"Low"
),
TimeDeltaSeconds = datetime_diff("second", LastSeen, FirstSeen)
| where RiskScore in ("Critical", "High", "Medium")
| project
FirstSeen, LastSeen, TimeDeltaSeconds,
DeviceName, AccountName,
InitiatingProcessFileName, InitiatingProcessSignerType,
InitiatingProcesses, CommandLines,
DumpCount, RiskScore
| sort by RiskScore asc, DumpCount desc
```
Explanation
This KQL query is designed to detect suspicious activities related to the dumping of macOS Keychain credentials using the security command-line tool. Here's a simplified explanation of what the query does:
-
Identify Suspicious Activity: The query looks for instances where the
securitytool is used with thedump-keychain -dcommand, which can export stored passwords in cleartext. This is a potential security risk if done maliciously. -
Focus on High-Risk Scenarios: It specifically targets scenarios where this command is executed by potentially suspicious parent processes, such as shell interpreters (e.g., bash, zsh, python) or unsigned binaries. These processes might indicate unauthorized or malicious activity.
-
Exclude Legitimate Tools: To reduce false positives, the query excludes known legitimate administrative tools like Jamf or Kandji, which might perform similar operations as part of their normal functioning.
-
Monitor Execution Paths: The query checks if the command is executed from known staging directories (e.g., /tmp/, Downloads) or hidden directories within a user's home directory, which are common locations for malicious scripts.
-
Aggregate and Score Events: It aggregates multiple dump attempts by the same account and assigns a risk score based on the frequency and context of these attempts. This helps prioritize potential threats over accidental or benign actions.
-
Output Results: The query outputs details such as the device name, account name, initiating process, command lines used, and a risk score, sorted by risk level and frequency of dump attempts.
Overall, this query helps security analysts identify and prioritize potential credential harvesting activities on macOS devices by focusing on high-fidelity indicators of compromise.
Details
Benjamin Zulliger
Released: June 19, 2026
Tables
Keywords
Operators