AN0107: Analytic 0107
Detects abnormal access to Safari credential stores (Keychain-backed) or Chrome/Firefox login databases. Observes processes executing `security dump-keychain` or directly reading credential files in `~/Library/Application Support`. Correlates file access with suspicious process ancestry or unsigned binaries.
Analyst context for executives and security teams
This analytic matters because browser and Keychain-backed credential stores on macOS can contain access paths to business applications, cloud services, and privileged workflows. For leaders, the key decision is whether the organization can see abnormal attempts to read those stores, especially when performed by unusual, unsigned, or suspiciously spawned processes.
Executive priority
Prioritize this as an identity and incident-readiness control for macOS environments. Validate whether endpoint telemetry can prove when Safari Keychain-backed credentials or Chrome/Firefox login databases are accessed, and whether SOC workflows can distinguish legitimate user or browser activity from suspicious access. This supports credential theft response, audit evidence for endpoint monitoring, and prioritization of macOS visibility gaps.
Technical view
For SOC and detection teams, validate monitoring for macOS processes executing `security dump-keychain` and for direct reads of browser credential files under `~/Library/Application Support`. Correlate file access with process ancestry and binary signing status as described by the analytic. Because no ATT&CK tactics or relationships are supplied, treat this as a focused macOS credential-store access detection rather than a broader campaign or technique mapping.
Likely telemetry
- macOS process execution events, including command-line arguments
- File access events for Safari Keychain-backed credential stores and Chrome/Firefox login database locations under `~/Library/Application Support`
- Process ancestry or parent-child process metadata
- Code signing or binary trust status for processes accessing credential stores
- Endpoint security alerts or EDR events related to abnormal credential-store access
Detection direction
- Confirm telemetry includes command-line visibility for `security dump-keychain`.
- Confirm file access monitoring covers relevant browser credential database paths under user home directories.
- Tune logic to correlate credential-store reads with suspicious process ancestry or unsigned binaries, not just file access alone.
- Account for legitimate browser, system, user support, backup, or migration activity to reduce false positives.
- Review macOS coverage specifically; the supplied object only supports macOS.
Mitigation priorities
- Harden macOS endpoint monitoring coverage before relying on this analytic for response decisions.
- Limit unnecessary access to credential stores through least-privilege endpoint practices and controlled administrative workflows.
- Maintain trusted software and code-signing validation processes to help differentiate expected binaries from suspicious ones.
- Ensure incident response playbooks include credential exposure assessment when abnormal Keychain or browser login database access is detected.
- Use findings to inform identity risk actions such as session review, credential reset decisions, or access review when local evidence supports exposure.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a full technique entry. Its useful defensive value is in validating macOS endpoint visibility around browser and Keychain-backed credential access, process ancestry, and unsigned binaries. No relationship context, tactics, aliases, or official detection logic were supplied beyond the description.
This take is limited to the official fields provided. It does not establish active exploitation, adversary attribution, impact, or guaranteed detection coverage. Local file paths, browser versions, endpoint tooling, and business-approved administrative activity must be validated in the customer environment.
Analytic 0107
Detects abnormal access to Safari credential stores (Keychain-backed) or Chrome/Firefox login databases. Observes processes executing `security dump-keychain` or directly reading credential files in `~/Library/Application Support`. Correlates file access with suspicious process ancestry or unsigned binaries.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 499b6c42a818… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0107Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.