Keychain dumping utility.

Hunt Hypothesis

Adversaries may use a keychain dumping utility to extract sensitive credentials from macOS systems, potentially granting access to encrypted data and services. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage credential theft attempts that may evade traditional detection methods.

YARA Rule

rule hacktool_macos_ptoomey3_keychain_dumper
{
    meta:
        description = "Keychain dumping utility."
        reference = "https://github.com/ptoomey3/Keychain-Dumper"
        author = "@mimeframe"
        id = "7be4b137-619d-5d19-ac31-5c0148a3a77a"
    strings:
        $a1 = "keychain_dumper" wide ascii
        $a2 = "/var/Keychains/keychain-2.db" wide ascii
        $a3 = "<key>keychain-access-groups</key>" wide ascii
        $a4 = "SELECT DISTINCT agrp FROM genp UNION SELECT DISTINCT agrp FROM inet" wide ascii
        $a5 = "dumpEntitlements" wide ascii
    condition:
        all of ($a*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• https://github.com/ptoomey3/Keychain-Dumper
• Source Rule

False Positive Guidance

• Scenario: System Maintenance Task Using security Command
  Description: A system administrator is performing routine maintenance and uses the security command to dump a keychain for backup or analysis.
  Filter/Exclusion: process.name != "security" OR process.args NOT LIKE '%dump%'

• Scenario: Scheduled Job for Keychain Backup
  Description: A scheduled job (e.g., via launchd or cron) is configured to periodically back up keychain data as part of a compliance or disaster recovery process.
  Filter/Exclusion: process.name != "launchd" AND process.name != "cron" OR process.args NOT LIKE '%backup%'

• Scenario: Developer Debugging Keychain Access
  Description: A developer is troubleshooting an application that requires access to a keychain and uses tools like keychainutil or security to inspect or modify entries.
  Filter/Exclusion: process.name NOT IN ("security", "keychainutil") OR process.args NOT LIKE '%debug%'

• Scenario: Automated CI/CD Pipeline Keychain Access
  Description: A CI/CD pipeline (e.g., Jenkins, GitHub Actions) is configured to access a keychain for secure credential storage during deployment.
  Filter/Exclusion: process.name NOT IN ("jenkins", "github-actions") OR process.args NOT LIKE '%ci%'

• Scenario: User-Initiated Keychain Access for Application Setup
  Description: A user is setting up a new application that requires keychain access, and they manually run a keychain dump to configure the app.
  Filter/Exclusion: process.name != "security" OR process.args NOT LIKE '%setup%'