AN1282: Analytic 1282

This analytic matters because it focuses on macOS attempts to retrieve saved Wi‑Fi passwords from the Keychain, using the built-in `security` command or Keychain APIs. For leaders, the risk is not just password disclosure; recovered wireless credentials can weaken office network segmentation, guest/corporate Wi‑Fi separation, and incident containment assumptions if those credentials are reused or broadly trusted.

Executive priority

Treat this as a macOS endpoint and access-control validation item. Security leaders should ask whether corporate Wi‑Fi credentials stored on endpoints are protected, whether SOC teams can see suspicious Keychain access, and whether wireless access policies support rapid credential rotation during an incident. This is most useful for prioritizing macOS monitoring, credential-handling policy, and audit evidence around endpoint visibility and wireless access governance.

Technical view

The supplied ATT&CK object is a detection analytic for macOS behavior involving the `security` command or Keychain API access to extract known Wi‑Fi passwords for target SSIDs. Because no official detection logic, tactic mapping, or relationship context is provided, defenders should validate coverage around process execution, command-line capture where available, Keychain access events, and endpoint security telemetry that can distinguish expected administrative activity from unusual credential access.

Likely telemetry

macOS process execution telemetry for the `security` command
Command-line arguments where collected and permitted
Endpoint security or EDR events related to Keychain access
macOS audit or unified log data relevant to credential or Keychain interactions
User, device, and timestamp context for correlating Keychain access with normal administration activity

Detection direction

Confirm whether macOS endpoints generate and forward process execution telemetry for built-in credential-access utilities.
Validate whether Keychain API access is visible through existing EDR, endpoint security, or macOS logging sources.
Tune for context: legitimate administration, helpdesk activity, device migration, and troubleshooting may create benign Keychain access patterns.
Prioritize unusual users, unusual devices, unusual timing, repeated access attempts, or access to Wi‑Fi credential material outside expected workflows.
Because ATT&CK provides no official detection text for this analytic, treat any rule as locally validated logic rather than guaranteed coverage.

Mitigation priorities

Review whether stored Wi‑Fi credentials are necessary on managed macOS endpoints and whether access is aligned with enterprise policy.
Enforce least-privilege administration on macOS devices so routine users and processes have only necessary credential access.
Maintain the ability to rotate affected Wi‑Fi credentials or SSID access policies during incident response.
Use endpoint management and security controls to monitor or restrict inappropriate credential access where feasible.
Document telemetry coverage and response procedures as evidence for security governance and compliance readiness.

Analyst notes and limits

This object is an ATT&CK detection analytic, not a technique description. The strongest defensible interpretation is macOS Keychain or `security` command access related to saved Wi‑Fi passwords. There are no supplied ATT&CK relationships, aliases, labels, tactic mappings, or official detection logic, so local environment baselining is required.

The source fields are sparse: platform is limited to macOS, tactics are not specified, and no official detection or relationship context is supplied. This take does not assert active exploitation, actor use, impact, or complete detection coverage.

Official MITRE ATT&CK definition

Analytic 1282

Use of the `security` command or Keychain API to extract known Wi-Fi passwords for target SSIDs.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 77a1a96760ec227a...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`77a1a96760ec…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1282
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams