AN0673: Analytic 0673
Monitor for security commands and API calls interacting with the Keychain, as well as file access attempts to stored certificates and private keys in ~/Library/Keychains or /Library/Keychains.
Analyst context for executives and security teams
This analytic matters because macOS Keychains can contain certificates, private keys, and other credentials that support user access, application trust, VPN, Wi-Fi, code signing, and enterprise authentication workflows. For leaders, the key decision is whether the organization can see suspicious interaction with these stores before credential or certificate misuse becomes an incident response problem. The ATT&CK object is narrow: it only states monitoring for security commands, API calls, and file access attempts involving Keychain locations on macOS.
Executive priority
Prioritize this where macOS endpoints hold business-critical credentials, certificates, or private keys. Security leaders should ask whether endpoint telemetry, SOC processes, and incident response playbooks can prove visibility into Keychain access and attempted access to ~/Library/Keychains and /Library/Keychains. This is also useful as compliance evidence for credential protection and monitoring controls, but local validation is required because ATT&CK does not provide a detection implementation or tuning guidance for this analytic.
Technical view
For SOC and detection engineering teams, validate macOS coverage for command execution involving security-related utilities, API-level interaction with Keychain services where available, and file access attempts against user and system Keychain directories. Because no ATT&CK tactic, technique relationship, or detection logic is supplied, treat this as a telemetry coverage requirement rather than a finished detection. IR teams should ensure triage can distinguish expected administrative, application, and certificate-management activity from unusual access patterns.
Likely telemetry
- macOS process execution telemetry for security-related commands
- Endpoint file access telemetry for ~/Library/Keychains
- Endpoint file access telemetry for /Library/Keychains
- macOS API or security subsystem telemetry related to Keychain interaction where available
- User, host, and process context associated with Keychain access attempts
Detection direction
- Confirm that macOS endpoint telemetry captures both user-level and system-level Keychain file paths named in the ATT&CK object.
- Baseline normal Keychain access by operating system services, enterprise management tools, browsers, VPN clients, certificate tools, and user applications to reduce false positives.
- Alerting should consider unusual process lineage, unexpected users, abnormal hosts, or access to private key and certificate stores outside normal administrative windows.
- Because official detection logic is not provided, test visibility with authorized internal validation and document gaps rather than assuming coverage.
- Correlate Keychain access events with identity, endpoint, and incident context when available, but do not infer malicious intent from Keychain interaction alone.
Mitigation priorities
- Inventory macOS systems where certificates, private keys, or sensitive credentials are stored in Keychains.
- Restrict and review administrative access to macOS endpoints that hold sensitive Keychain material.
- Ensure endpoint monitoring is deployed and configured to collect relevant process and file access telemetry for the specified Keychain paths.
- Define SOC triage procedures for suspicious Keychain access, including owner validation and certificate/key handling guidance.
- Use findings from telemetry validation to support credential protection, incident response readiness, and compliance evidence.
Analyst notes and limits
This ATT&CK object is a detection analytic, not a technique description. It is scoped to macOS and focuses on monitoring Keychain-related commands, API calls, and file access attempts. No relationships, tactics, aliases, labels, or official detection content were supplied, so this take emphasizes defensive validation and governance value rather than specific adversary behavior.
The source does not provide detection logic, related techniques, data sources, mitigations, adversary examples, or relationship context. Local environment baselining is required to determine what Keychain access is normal, what telemetry is available, and what events should become alerts.
Analytic 0673
Monitor for security commands and API calls interacting with the Keychain, as well as file access attempts to stored certificates and private keys in ~/Library/Keychains or /Library/Keychains.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ba1330ee3234… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0673Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.