← Back to Explore
jamf_protectinformationalTTP
Keychain Copied
This detection functions by monitoring for process activity using the mv, ditto or cp binaries to copy .keychain-db files over to other locations, in case of a healthy keychain this should not happen.
Detection Query
$event.type == 1 AND $event.process.path.lastPathComponent IN {'mv', 'ditto', 'cp'} AND $event.process.args.@count > 0 AND (ANY $event.process.args == ".keychain-db")Author
Jamf
Data Sources
Process EventsmacOS Endpoint Security
Platforms
macos
Tags
VisibilityCredential HarvestingCredentialAccess
Raw Content
---
name: KeychainCopied
uuid: 25b14366-08bd-473f-a7dd-6ff5818ffb84
longDescription: This detection functions by monitoring for process activity using the mv, ditto or cp binaries to copy .keychain-db files over to other locations, in case of a healthy keychain this should not happen.
level: 0
inputType: GPProcessEvent
tags:
snapshotFiles: []
filter: $event.type == 1 AND
$event.process.path.lastPathComponent IN {'mv', 'ditto', 'cp'} AND
$event.process.args.@count > 0 AND
(ANY $event.process.args == ".keychain-db")
actions:
- name: Log
context: []
categories:
- Visibility
- Credential Harvesting
version: 1
severity: Informational
shortDescription: A users keychain database has been copied.
label: Keychain Copied
remediation: Review the path the keychain has been copied to and if it's initiated by the user on-purpose.
MitreCategories:
- CredentialAccess