EXPLORE
← Back to Explore
jamf_protectinformationalTTP

Keychain Dumped

This detection functions by monitoring for process creation involving binaries carrying the signing information of 'com.apple.security' and using the parameters "dump-keychain".

Detection Query

$event.type == 1 AND $event.process.signingInfo.appid == "com.apple.security" AND $event.process.args.@count > 0 AND (ANY $event.process.args == "dump-keychain")

Author

Jamf

Data Sources

Process EventsmacOS Endpoint Security

Platforms

macos

Tags

VisibilityCredential HarvestingCredentialAccess
Raw Content
---
name: KeychainDumped
uuid: 6fe79b15-aa2f-4bd5-a6c9-9192878f17b4
longDescription: This detection functions by monitoring for process creation involving binaries carrying the signing information of 'com.apple.security' and using the parameters "dump-keychain".
level: 0
inputType: GPProcessEvent
tags:
snapshotFiles: []
filter: $event.type == 1 AND 
  $event.process.signingInfo.appid == "com.apple.security" AND 
  $event.process.args.@count > 0 AND
  (ANY $event.process.args == "dump-keychain")
actions:
  - name: Log
context: []
categories:
  - Visibility
  - Credential Harvesting
version: 1
severity: Informational
shortDescription: A users keychain database has been dumped.
label: Keychain Dumped
remediation: null
MitreCategories:
  - CredentialAccess