AN1155: Analytic 1155
Unusual access to ~/Library/Keychains, ~/.bash_history, or Terminal command history by unauthorized processes or users.
Analyst context for executives and security teams
This analytic is about spotting unusual access on macOS to sensitive local user artifacts: Keychains and shell or Terminal command history. For leaders, the practical issue is not the files themselves but what they can represent: possible access to stored secrets, credentials, authentication material, or command history that may help an intruder understand and expand activity on a Mac endpoint.
Executive priority
Treat this as a macOS endpoint and identity-risk validation item. Security leaders should ask whether the organization can prove which processes and users access Keychain and command-history locations, whether that evidence is retained for investigations, and whether SOC playbooks distinguish legitimate administration from unauthorized access. This is most relevant where macOS systems are used by executives, developers, administrators, or other users with access to sensitive systems.
Technical view
The supplied ATT&CK object defines a detection analytic for macOS focused on unusual access to ~/Library/Keychains, ~/.bash_history, or Terminal command history by unauthorized processes or users. SOC and detection teams should validate file-access visibility for these paths, process-to-file attribution, user context, and baselining of expected macOS utilities, shells, endpoint tools, and administrative workflows. Because no official detection logic or related techniques were supplied, implementation should be environment-specific and tested against normal user behavior before alerting at high severity.
Likely telemetry
- macOS endpoint file access events for ~/Library/Keychains and user shell or Terminal history locations
- Process execution telemetry with process name, path, command line, parent process, signing status where available, and user context
- User/session context showing the account that accessed the files
- Endpoint security or EDR audit data linking processes to file reads, opens, copies, or permission changes
- File metadata changes for sensitive user-history or Keychain-related files
Detection direction
- Confirm that macOS telemetry records access to the specific user-scoped paths identified by the analytic, not just process execution.
- Build allowlists or baselines for expected processes and users, such as normal shells, Terminal usage, backup tools, endpoint security tools, and approved administration workflows.
- Prioritize suspicious cases where an unexpected process, unusual parent process, non-interactive context, or unauthorized user accesses Keychain or command-history files.
- Tune for false positives from legitimate troubleshooting, developer workflows, migration tools, backup software, and security scanners.
- Validate retention and searchability so incident responders can reconstruct which process accessed the files and under which user account.
Mitigation priorities
- Limit local administrator rights and unauthorized user access on macOS endpoints where practical.
- Apply least-privilege controls and endpoint management policies that restrict access to sensitive user data locations.
- Harden and monitor developer, administrator, and executive Macs where local secrets or privileged command history may have higher business impact.
- Ensure approved backup, management, and security tools are documented so detection tuning can separate expected access from suspicious access.
- Include this evidence requirement in incident response readiness: responders should know how to collect and interpret macOS file-access and process-context telemetry.
Analyst notes and limits
This object is a detection analytic, not a technique or procedure. Its value is as a coverage question: can the organization observe and investigate unusual macOS access to Keychain and command-history artifacts? The strongest use is in detection engineering and IR readiness reviews, especially for macOS fleets with privileged users or sensitive development activity.
The supplied ATT&CK fields provide a short analytic description only. No official detection logic, tactics, relationships, related techniques, data components, mitigations, or adversary context were supplied. Local macOS logging configuration, EDR capability, user roles, and approved administrative tooling are required to determine practical coverage and alert severity.
Analytic 1155
Unusual access to ~/Library/Keychains, ~/.bash_history, or Terminal command history by unauthorized processes or users.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 682005a97c96… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1155Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.