chainbreaker can extract user credential in a Keychain file with Master Key or user password in forensically sound manne

Hunt Hypothesis

An adversary may use Chainbreaker to extract user credentials from a Keychain file by leveraging the Master Key or user password, indicating potential credential theft. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate credential compromise risks before lateral movement or persistence occurs.

YARA Rule

rule hacktool_macos_n0fate_chainbreaker
{
    meta:
        description = "chainbreaker can extract user credential in a Keychain file with Master Key or user password in forensically sound manner."
        reference = "https://github.com/n0fate/chainbreaker"
        author = "@mimeframe"
        id = "6b04050d-006d-56c0-91b4-8dda1c1ff3fa"
    strings:
        $a1 = "[!] Private Key Table is not available" wide ascii
        $a2 = "[!] Public Key Table is not available" wide ascii
        $a3 = "[-] Decrypted Private Key" wide ascii
    condition:
        all of ($a*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://github.com/n0fate/chainbreaker
• Source Rule

False Positive Guidance

• Scenario: System Backup Job Extracting Keychain Files
  Description: A scheduled backup job (e.g., rsync, Veeam, or Commvault) may copy keychain files from a user’s home directory during routine maintenance.
  Filter/Exclusion: Check for processes associated with backup tools (e.g., rsync, vssadmin, or backupexec) or filter by file paths common to backup directories (e.g., /backup/, /var/backups/).

• Scenario: Admin Task to Reset User Password via Keychain
  Description: An administrator may use a tool like keychain or security (macOS) to reset a user’s password by accessing the keychain directly.
  Filter/Exclusion: Filter for processes initiated by administrative accounts (e.g., sudo, root, or admin_user) or check for known admin tools (e.g., security, keychain, chpass).

• Scenario: Automated Security Audit Tool Scanning Keychain Files
  Description: A security tool like OSXKeychainInspector or KeychainAudit may scan keychain files as part of a compliance or security audit.
  Filter/Exclusion: Filter for processes associated with known security tools or audit frameworks (e.g., OSXKeychainInspector, KeychainAudit, or Splunk).

• Scenario: User-Initiated Keychain Export for Migration
  Description: A user may export their keychain file (e.g., via security export -a) to migrate to a new device or system.
  Filter/Exclusion: Filter for user-initiated processes (e.g., security, keychain, or export) or check for user-specific file paths (e.g., `~/Library/Keychains/