Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0664: Detection of Keychain

DET0664 is a mobile ATT&CK detection strategy for activity related to iOS Keychain credential collection. Its business significance is credential risk: Key...

MobileDET0664Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0664 is a mobile ATT&CK detection strategy for activity related to iOS Keychain credential collection. Its business significance is credential risk: Keychain data can include passwords, Wi-Fi credentials, certificates, private keys, VPN credentials, and other secrets, so defenders should treat coverage around this behavior as part of mobile identity and access risk management rather than only endpoint monitoring.

Executive priority

Prioritize this as an identity and mobile security readiness question: do security teams have enough iOS device, mobile management, and incident response evidence to determine whether protected credentials may have been targeted or exposed? Because the ATT&CK object provides no official detection text or platform list for the strategy itself, leaders should ask for evidence of actual monitoring coverage, escalation paths, and containment procedures rather than assume ATT&CK alignment equals operational detection.

Technical view

The only supplied relationship is that DET0664 detects T1634.001 Keychain in the mobile ATT&CK domain, with the related technique platform identified as iOS. SOC and IR teams should validate what telemetry exists for iOS devices and managed mobile fleets that could support investigation of suspicious access to credential material or abnormal application/device behavior involving Keychain-protected data. Since no official detection logic, tactics, or platforms are specified for DET0664 itself, detection engineering should document local assumptions, data sources, and false-positive boundaries.

Likely telemetry

  • Mobile device management or enterprise mobility management inventory and compliance state for iOS devices
  • iOS device security, configuration, and policy enforcement records where available
  • Application inventory, entitlement, and configuration evidence for managed iOS apps
  • Authentication and identity-provider logs that may show downstream use of credentials potentially stored on mobile devices
  • VPN, Wi-Fi, certificate, and private-key lifecycle records where managed by the organization

Detection direction

  • Map DET0664 explicitly to T1634.001 Keychain and verify whether existing mobile detections address credential-access risk on iOS rather than only general device compliance.
  • Validate which iOS telemetry is actually collected, retained, and searchable; ATT&CK does not provide detection logic for this strategy.
  • Correlate mobile device context with identity events, VPN use, certificate activity, and anomalous authentication to help distinguish credential misuse from normal user behavior.
  • Tune triage around managed versus unmanaged devices, expected app behavior, and administrative or support workflows to reduce false positives.
  • Document blind spots such as unmanaged BYOD devices, limited iOS forensic visibility, short retention windows, and lack of app-level telemetry.

Mitigation priorities

  • Confirm mobile device management coverage and policy enforcement for iOS devices that access business credentials or sensitive services.
  • Limit exposure of high-value credentials on mobile devices through least privilege, managed app controls, certificate governance, and conditional access where applicable.
  • Maintain incident response procedures for suspected mobile credential compromise, including identity containment, credential rotation, certificate revocation, and device handling.
  • Use this detection strategy as a compliance and readiness checkpoint: prove what evidence would be available during an investigation and who can access it.
  • Review mobile identity dependencies such as VPN, Wi-Fi, certificates, and private keys because the related technique description identifies these as possible Keychain contents.
Analyst notes and limits

This take is based on the official DET0664 metadata and its supplied relationship to T1634.001 Keychain. The detection strategy has no official description or detection guidance in the supplied fields, so recommendations are framed as validation and readiness activities rather than prescribed detections.

Platforms, tactics, and official detection text are not specified for DET0664. iOS is supported only through the related T1634.001 technique context. Local telemetry, device management architecture, ownership model, and legal/forensic constraints are required to determine practical detection coverage.

Official MITRE ATT&CK definition

Detection of Keychain

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1634.001 Keychain Sub-technique This object detects Keychain.
Relationship explorer

All related ATT&CK context

detects · Technique T1634.001: Keychain Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f785c08c5f19a970...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f785c08c5f19…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0664
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use