← Back to Explore
jamf_protectinformationalTTP
Keychain Dumped
This detection functions by monitoring for process creation involving binaries carrying the signing information of 'com.apple.security' and using the parameters "dump-keychain".
Detection Query
$event.type == 1 AND $event.process.signingInfo.appid == "com.apple.security" AND $event.process.args.@count > 0 AND (ANY $event.process.args == "dump-keychain")Author
Jamf
Data Sources
Process EventsmacOS Endpoint Security
Platforms
macos
Tags
VisibilityCredential HarvestingCredentialAccess
Raw Content
---
name: KeychainDumped
uuid: 6fe79b15-aa2f-4bd5-a6c9-9192878f17b4
longDescription: This detection functions by monitoring for process creation involving binaries carrying the signing information of 'com.apple.security' and using the parameters "dump-keychain".
level: 0
inputType: GPProcessEvent
tags:
snapshotFiles: []
filter: $event.type == 1 AND
$event.process.signingInfo.appid == "com.apple.security" AND
$event.process.args.@count > 0 AND
(ANY $event.process.args == "dump-keychain")
actions:
- name: Log
context: []
categories:
- Visibility
- Credential Harvesting
version: 1
severity: Informational
shortDescription: A users keychain database has been dumped.
label: Keychain Dumped
remediation: null
MitreCategories:
- CredentialAccess