Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0396: Detect Access to macOS Keychain for Credential Theft

This detection strategy matters because macOS Keychain can hold high-value secrets such as passwords, private keys, certificates, sensitive application dat...

EnterpriseDET0396Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because macOS Keychain can hold high-value secrets such as passwords, private keys, certificates, sensitive application data, payment data, and secure notes. If defenders cannot see suspicious access to Keychain, a macOS endpoint compromise can become an identity and credential incident that affects user accounts, applications, and business services beyond the single device.

Executive priority

Treat this as a validation point for macOS credential-access readiness. Leaders should ask whether SOC and incident response teams can prove visibility into Keychain access on managed macOS systems, whether collected evidence supports investigations and audit needs, and whether identity risk decisions account for credentials and certificates potentially exposed from endpoint credential stores.

Technical view

The supplied ATT&CK relationship maps DET0396 to T1555.001 Keychain under credential access on macOS. Because the official detection text is not provided, teams should validate coverage around observable access to macOS Keychain or Keychain Services rather than assume a specific analytic. Confirm that endpoint telemetry can identify processes, users, command or API activity where available, and file or security subsystem events associated with Login Keychain, System Keychain, and Local Items/iCloud Keychain access. IR playbooks should connect suspected Keychain access to credential exposure assessment and downstream identity containment.

Likely telemetry

  • macOS endpoint process execution telemetry for processes interacting with Keychain-related resources
  • User and session context for the account under which Keychain access occurred
  • Command-line or script execution telemetry where available
  • macOS security, authentication, or endpoint security events that show Keychain or Keychain Services access
  • File access or metadata events related to Keychain storage locations where collected

Detection direction

  • Validate that managed macOS endpoints are in scope; the detection strategy object itself has no platform field, but the related ATT&CK technique is macOS.
  • Tune for unusual Keychain access patterns relative to the user, process, application, and administrative context rather than treating all Keychain access as malicious.
  • Correlate Keychain access with broader credential-access signals, suspicious scripting, unexpected parent processes, or later use of passwords, certificates, or private keys.
  • Account for false positives from legitimate applications, operating system services, device management tools, and user-approved credential prompts.
  • Document blind spots where endpoint agents do not capture command-line, process lineage, Keychain service interactions, or file access events.

Mitigation priorities

  • Prioritize endpoint telemetry and retention for macOS systems that handle privileged users, developers, administrators, or certificate-bearing workflows.
  • Harden identity controls around credentials that could be stored in Keychain, including rapid credential reset and certificate/key revocation procedures during IR.
  • Limit unnecessary local storage of sensitive secrets where business workflows allow, and ensure administrative access to macOS endpoints is controlled.
  • Prepare incident response procedures that treat confirmed suspicious Keychain access as a possible credential exposure event requiring identity scoping, not only host cleanup.
  • Use this detection strategy as compliance evidence only after proving local data collection, alert logic, triage steps, and response actions are operational.
Analyst notes and limits

ATT&CK provides the detection strategy name and a relationship to T1555.001 Keychain. The related technique description establishes that Keychain stores credentials and other sensitive material on macOS. Practical coverage depends on local macOS fleet management, endpoint telemetry depth, and SOC tuning.

The supplied object has no official description, no official detection text, no tactics, and no platform field. Recommendations are therefore conservative and derived from the detection strategy name plus its relationship to T1555.001 Keychain. No active exploitation, attribution, or guaranteed detection coverage is implied.

Official MITRE ATT&CK definition

Detect Access to macOS Keychain for Credential Theft

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1555.001 Keychain Sub-technique This object detects Keychain.
Relationship explorer

All related ATT&CK context

detects · Technique T1555.001: Keychain Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
b54d3a6fdfa805b8...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle b54d3a6fdfa8…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0396
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use