Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1112: Analytic 1112

Detects suspicious access to macOS Keychain files and APIs. Observes processes invoking the 'security' utility or accessing Keychain databases directly, correlates these with abnormal parent process lineage or unexpected user context. Monitors attempts to dump, unlock, or read credential storage beyond normal application workflows.

EnterpriseAN1112AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because macOS Keychain is a high-value credential store. Suspicious access to Keychain files or APIs can indicate attempts to read, unlock, or dump stored credentials outside normal application behavior. For leaders, the practical question is whether macOS endpoints generate enough process, file, user-context, and parent-process telemetry for the SOC to distinguish routine Keychain use from abnormal credential-access behavior.

Executive priority

Prioritize this as a macOS identity and endpoint visibility control check. It supports business resilience by helping validate whether credential-storage abuse on managed Macs would be visible during an investigation. Security leaders should ask whether macOS endpoint logging, EDR coverage, and SOC runbooks include Keychain access monitoring, and whether exceptions for legitimate administrative or application workflows are documented for audit and incident response readiness.

Technical view

For SOC and detection engineering teams, validate monitoring for processes invoking the macOS 'security' utility, direct access to Keychain database files, attempts to dump, unlock, or read credential storage, abnormal parent process lineage, and unexpected user context. Because no ATT&CK tactic, relationship context, or official detection logic is supplied, implementation should be locally tested against known-good macOS workflows to avoid broad or noisy alerting.

Likely telemetry

  • macOS process execution events, including command-line arguments where available
  • Parent and child process lineage for processes interacting with Keychain-related utilities or files
  • File access events for Keychain database locations
  • User/session context associated with Keychain access
  • Endpoint security or EDR events showing API or utility-based credential-store access

Detection direction

  • Confirm visibility into the 'security' utility and whether command-line arguments are captured sufficiently to identify dump, unlock, or read-style activity.
  • Correlate Keychain access with parent process lineage and user context rather than alerting only on file or utility access.
  • Baseline normal application workflows that access Keychain to reduce false positives.
  • Review coverage gaps on macOS endpoints that lack EDR, file access logging, or command-line capture.
  • Treat unusual parent processes, unexpected users, or direct database access as higher-priority triage signals, subject to local validation.

Mitigation priorities

  • Ensure managed macOS endpoints have endpoint telemetry capable of observing process execution, file access, and user context relevant to Keychain activity.
  • Limit administrative access and review who can perform actions that unlock or extract credential material from Keychain stores.
  • Document legitimate Keychain access patterns for IT, administrative, and business applications so detections can be tuned and defended during audits.
  • Integrate macOS credential-access alerts into incident response playbooks, including account review and credential reset decision points when suspicious access is confirmed.
  • Periodically test detection coverage in a controlled defensive validation process without assuming that the analytic is already implemented or effective.
Analyst notes and limits

This object is a MITRE ATT&CK detection analytic for macOS Keychain access monitoring. The strongest decision value is using it as a coverage validation item for macOS credential-store visibility and SOC triage quality. No relationship context is supplied, so this take does not connect the analytic to specific techniques, groups, software, or campaigns.

The official detection field is not provided, tactics are not specified, and no relationships are supplied. The description supports monitoring direction but not a complete detection rule, severity model, or guaranteed coverage statement. Local macOS fleet configuration, logging depth, EDR capability, and business application behavior are required to operationalize this safely.

Official MITRE ATT&CK definition

Analytic 1112

Detects suspicious access to macOS Keychain files and APIs. Observes processes invoking the 'security' utility or accessing Keychain databases directly, correlates these with abnormal parent process lineage or unexpected user context. Monitors attempts to dump, unlock, or read credential storage beyond normal application workflows.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
cca72a70003a529a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle cca72a70003a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1112
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use