An adversary may attempt to extract sensitive credentials from an OS X keychain by executing commands with root privileges, indicating potential credential theft or lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks targeting macOS systems.
YARA Rule
rule hacktool_macos_juuso_keychaindump
{
meta:
description = "For reading OS X keychain passwords as root."
reference = "https://github.com/juuso/keychaindump"
author = "@mimeframe"
id = "196c6132-b538-5055-a4cb-e2d46723d06e"
strings:
$a1 = "[-] Too many candidate keys to fit in memory" wide ascii
$a2 = "[-] Could not allocate memory for key search" wide ascii
$a3 = "[-] Too many credentials to fit in memory" wide ascii
$a4 = "[-] The target file is not a keychain file" wide ascii
$a5 = "[-] Could not find the securityd process" wide ascii
$a6 = "[-] No root privileges, please run with sudo" wide ascii
condition:
4 of ($a*)
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: System Maintenance Task Using security Command
Description: A system administrator runs the security command to read a keychain entry as part of a routine maintenance task, such as verifying credentials for a service.
Filter/Exclusion: Exclude processes initiated by known admin users (e.g., root, admin_user) during scheduled maintenance windows using user field or process.parent field.
Scenario: Scheduled Job to Retrieve Keychain Credentials for a Service
Description: A cron job or LaunchDaemon is configured to read a keychain password to authenticate a service (e.g., a database connection or API client).
Filter/Exclusion: Exclude processes associated with known service accounts or scheduled jobs using process.name or process.parent field, and check for command_line containing service-specific identifiers.
Scenario: Keychain Access for Application Debugging
Description: A developer uses the keychain-access-gui tool to manually inspect keychain entries while troubleshooting an application that requires authentication.
Filter/Exclusion: Exclude processes with process.name matching keychain-access-gui or security when executed by a known developer user during debugging sessions.
Scenario: Keychain Password Retrieval for Backup Purposes
Description: A backup script or tool (e.g., rsync, backup.sh) reads a keychain password to securely transfer credentials during a backup operation.
Filter/Exclusion: Exclude processes initiated by backup tools or scripts using process.name or command_line containing backup-related keywords, and check for user field matching the backup service account.
Scenario: Keychain Access for Multi-Factor Authentication (MFA) Verification
Description: An MFA tool or authentication service (e.g., Google Authenticator, Authy)