Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1555.001: Keychain

Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service.

Keychains can be viewed and edited through the Keychain Access application or using the command-line utility security. Keychain files are located in ~/Library/Keychains/, /Library/Keychains/, and /Network/Library/Keychains/.[1][2][3]

Adversaries may gather user credentials from Keychain storage/memory. For example, the command security dump-keychain –d will dump all Login Keychain credentials from ~/Library/Keychains/login.keychain-db. Adversaries may also directly read Login Keychain credentials from the ~/Library/Keychains/login.keychain file. Both methods require a password, where the default password for the Login Keychain is the current user’s password to login to the macOS host.[4][5]

EnterpriseT1555.001Sub-techniqueObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Keychain credential access matters because macOS endpoints often hold passwords, private keys, certificates, secure notes, payment data, and application secrets in Apple’s built-in credential store. If an adversary can access Keychain data, a single compromised Mac can become an identity and secrets exposure problem rather than just an endpoint incident.

Executive priority

Prioritize this where macOS systems are used by administrators, developers, finance users, executives, or anyone handling certificates, cloud access, or sensitive application data. Leadership should ask whether macOS credential storage is covered by monitoring, whether password policy reduces the risk of unlocking stored credentials, and whether incident response playbooks treat Keychain access as potential credential compromise requiring identity review and evidence preservation.

Technical view

This is a macOS credential-access sub-technique under Credentials from Password Stores. Defenders should validate visibility into attempts to view or manipulate Keychains through Keychain Access, the built-in security command-line utility, and direct access to Keychain file locations such as ~/Library/Keychains/, /Library/Keychains/, and /Network/Library/Keychains/. ATT&CK provides no official detection text for this technique, but relationship context includes detection strategy DET0396, Detect Access to macOS Keychain for Credential Theft. ATT&CK also links this behavior to multiple macOS-capable malware/tools, making it useful for detection engineering and IR scoping when suspicious macOS credential activity is observed.

Likely telemetry

  • macOS process execution and command-line evidence for the security utility
  • Process ancestry for terminal, script, or application-driven Keychain access
  • File access or read activity involving ~/Library/Keychains/, /Library/Keychains/, and /Network/Library/Keychains/
  • Use of the Keychain Access application outside expected administrative or user patterns
  • Endpoint security alerts or audit events showing credential-store access on macOS

Detection direction

  • Confirm whether DET0396-style coverage is implemented for macOS Keychain access rather than assuming general endpoint monitoring is sufficient.
  • Tune for suspicious use of the security utility and unusual access to Keychain database locations, while accounting for legitimate administration and user password-management activity.
  • Correlate Keychain access with other credential-access or post-exploitation indicators, especially when observed from unexpected parent processes or scripts.
  • Treat direct Keychain file access as higher-risk when it occurs outside normal user or system workflows.
  • Because official ATT&CK detection text is not provided, validate detections against local macOS baselines and document known blind spots in process, file, and command-line collection.

Mitigation priorities

  • Apply the related ATT&CK mitigation M1027, Password Policies, with emphasis on strong passwords and prevention of password reuse.
  • Because the Login Keychain may use the current user’s login password by default, prioritize password strength for macOS accounts that have access to sensitive credentials or certificates.
  • Ensure incident response procedures include credential review and rotation decisions when Keychain access is suspected.
  • Inventory where macOS systems store high-value secrets such as private keys, certificates, application credentials, and secure notes so response teams can scope exposure quickly.
  • Use detection validation and audit evidence to show whether macOS credential-store access is monitored as part of compliance and security readiness.
Analyst notes and limits

ATT&CK identifies this as a macOS-only credential-access sub-technique and provides concrete storage locations and access mechanisms. Relationship context shows use by several macOS-capable tools and malware families, and a revoked prior Keychain technique maps into this sub-technique. The strongest defensive value is validating macOS credential-store visibility and ensuring Keychain access changes IR from endpoint cleanup to identity and secret exposure assessment.

The supplied ATT&CK object does not include official detection guidance, and the mitigation relationship is limited to password policies. This take does not establish prevalence, active exploitation, customer exposure, or guaranteed detection coverage. Local macOS configuration, endpoint telemetry, user roles, and Keychain contents are required to determine actual risk and response scope.

Official MITRE ATT&CK definition

Keychain

Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service.

Keychains can be viewed and edited through the Keychain Access application or using the command-line utility security. Keychain files are located in ~/Library/Keychains/, /Library/Keychains/, and /Network/Library/Keychains/.[1][2][3]

Adversaries may gather user credentials from Keychain storage/memory. For example, the command security dump-keychain –d will dump all Login Keychain credentials from ~/Library/Keychains/login.keychain-db. Adversaries may also directly read Login Keychain credentials from the ~/Library/Keychains/login.keychain file. Both methods require a password, where the default password for the Login Keychain is the current user’s password to login to the macOS host.[4][5]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Enterprise T1142 Keychain Keychain revoked by this object.
Enterprise T1555 Credentials from Password Stores This object subtechnique of Credentials from Password Stores.
Associated objects

Groups, software, and campaigns

Malware Enterprise

S1185: LightSpy

First observed in 2018, LightSpy is a modular malware family that initially targeted iOS devices in Southern Asia before expanding to Android and macOS platforms. It consists of a downloader, a main executable that manages network communications, and functionality-specific modules, typically implemented as `.dylib` files (iOS, macOS) or `.apk` files (Android). LightSpy can collect VoIP call recordings, SMS messages, and credential stores, which are then exfiltrated to a command and control (C2) server.[1]

AndroidWindowsiOS
Malware Enterprise

S9010: GlassWorm

GlassWorm is a worm that propagated through supply chain attacks by compromising repository credentials from victim environments and having malicious payloads added to those compromised accounts for distribution to victims across the various development ecosystems.[1][2][3] GlassWorm has numerous variants, including Rust binaries, encrypted JavaScript and a variant leveraging invisible Unicode characters that made reverse engineering difficult.[4][1][5] GlassWorm has employed a unique command and control (C2) methodology using Solana blockchain.[6][1] GlassWorm was first reported in October 2025.[6][1][3]

macOSWindows
Malware Enterprise

S0690: Green Lambert

Green Lambert is a modular backdoor that security researchers assess has been used by an advanced threat group referred to as Longhorn and The Lamberts. First reported in 2017, the Windows variant of Green Lambert may have been used as early as 2008; a macOS version was uploaded to a multiscanner service in September 2014.[1][2]

WindowsiOSmacOS
Tool Enterprise

S0363: Empire

Empire is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]

LinuxmacOSWindows
Malware Enterprise

S1016: MacMa

MacMa is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. MacMa has been observed in the wild since November 2021.[1] MacMa shares command and control and unique libraries with MgBot and Nightdoor, indicating a relationship with the Daggerfly threat actor.[2]

macOS
Tool Enterprise

S0349: LaZagne

LaZagne is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows systems. LaZagne is publicly available on GitHub.[1]

LinuxmacOSWindows
Malware Enterprise

S1153: Cuckoo Stealer

Cuckoo Stealer is a macOS malware with characteristics of spyware and an infostealer that has been in use since at least 2024. Cuckoo Stealer is a universal Mach-O binary that can run on Intel or ARM-based Macs and has been spread through trojanized versions of various potentially unwanted programs or PUP's such as converters, cleaners, and uninstallers.[1][2]

macOS
Malware Enterprise

S1246: BeaverTail

BeaverTail is a malware that has both a JavaScript and C++ variant. Active since 2022, BeaverTail is capable of stealing logins from browsers and serves as a downloader for second stage payloads. BeaverTail has previously been leveraged by North Korea-affiliated actors identified as DeceptiveDevelopment or Contagious Interview. BeaverTail has been delivered to victims through code repository sites and has been embedded within malicious attachments.[1][2][3][4]

LinuxmacOSWindows
Relationship explorer

All related ATT&CK context

uses · Group G1052: Contagious Interview Enterprise detects · Detection Strategy DET0396: Detect Access to macOS Keychain for Credential Theft Enterprise uses · Malware S1185: LightSpy Enterprise uses · Malware S9010: GlassWorm Enterprise revoked by · Technique T1142: Keychain Enterprise uses · Malware S0690: Green Lambert Enterprise uses · Tool S0363: Empire Enterprise uses · Malware S0279: Proton Enterprise uses · Malware S1016: MacMa Enterprise mitigates · Mitigation M1027: Password Policies Enterprise uses · Tool S0349: LaZagne Enterprise subtechnique of · Technique T1555: Credentials from Password Stores Enterprise uses · Malware S0274: Calisto Enterprise uses · Malware S1153: Cuckoo Stealer Enterprise uses · Malware S0278: iKitten Enterprise uses · Malware S1246: BeaverTail Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1027: Password Policies

Set and enforce secure password policies for accounts to reduce the likelihood of unauthorized access. Strong password policies include enforcing password complexity, requiring regular password changes, and preventing password reuse. This mitigation can be implemented through the following measures:

Windows Systems:

- Use Group Policy Management Console (GPMC) to configure: - Minimum password length (e.g., 12+ characters). - Password complexity requirements. - Password history (e.g., disallow last 24 passwords). - Account lockout duration and thresholds.

Linux Systems:

- Configure Pluggable Authentication Modules (PAM): - Use `pam_pwquality` to enforce complexity and length requirements. - Implement `pam_tally2` or `pam_faillock` for account lockouts. - Use `pwunconv` to disable password reuse.

Password Managers:

- Enforce usage of enterprise password managers (e.g., Bitwarden, 1Password, LastPass) to generate and store strong passwords.

Password Blacklisting:

- Use tools like Have I Been Pwned password checks or NIST-based blacklist solutions to prevent users from setting compromised passwords.

Regular Auditing:

- Periodically audit password policies and account configurations to ensure compliance using tools like LAPS (Local Admin Password Solution) and vulnerability scanners.

*Tools for Implementation*

Windows:

- Group Policy Management Console (GPMC): Enforce password policies. - Microsoft Local Administrator Password Solution (LAPS): Enforce random, unique admin passwords.

Linux/macOS:

- PAM Modules (pam_pwquality, pam_tally2, pam_faillock): Enforce password rules. - Lynis: Audit password policies and system configurations.

Cross-Platform:

- Password Managers (Bitwarden, 1Password, KeePass): Manage and enforce strong passwords. - Have I Been Pwned API: Prevent the use of breached passwords. - NIST SP 800-63B compliant tools: Enforce password guidelines and blacklisting.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
1cd7b43705a8e623...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 1cd7b43705a8…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Keychain Services Apple

    Apple. (n.d.). Keychain Services. Retrieved April 11, 2022.

    Open source URL
  2. [2]
    Keychain Decryption Passware

    Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption. Retrieved April 13, 2022.

    Open source URL
  3. [3]
    OSX Keychain Schaumann

    Jan Schaumann. (2015, November 5). Using the OS X Keychain to store and retrieve passwords. Retrieved March 31, 2022.

    Open source URL
  4. [4]
    External to DA, the OS X Way

    Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to DA, the OS X Way. Retrieved September 12, 2024.

    Open source URL
  5. [5]
    Empire Keychain Decrypt

    Empire. (2018, March 8). Empire keychaindump_decrypt Module. Retrieved April 14, 2022.

    Open source URL
  6. [6]
    mitre-attack T1555.001
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use