1. Home
  2. Techniques
  3. Enterprise
  4. Credentials from Password Stores
  5. Keychain

Credentials from Password Stores: Keychain

ID Name
T1555.001 Keychain
T1555.002 Securityd Memory
T1555.003 Credentials from Web Browsers
T1555.004 Windows Credential Manager
T1555.005 Password Managers
T1555.006 Cloud Secrets Management Stores

Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service.

Keychains can be viewed and edited through the Keychain Access application or using the command-line utility security. Keychain files are located in ~/Library/Keychains/, /Library/Keychains/, and /Network/Library/Keychains/.[1][2][3]

Adversaries may gather user credentials from Keychain storage/memory. For example, the command security dump-keychain –d will dump all Login Keychain credentials from ~/Library/Keychains/login.keychain-db. Adversaries may also directly read Login Keychain credentials from the ~/Library/Keychains/login.keychain file. Both methods require a password, where the default password for the Login Keychain is the current user’s password to login to the macOS host.[4][5]

ID: T1555.001
Sub-technique of:  T1555
Tactic: Credential Access
Platforms: macOS
Version: 1.1
Created: 12 February 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S1246 BeaverTail

BeaverTail has collected keys associated with macOS within /Library/Keychains/login.keychain.[6][7][8]
S0274 Calisto

Calisto collects Keychain storage data and copies those passwords/tokens to a file.[9][10]
G1052 Contagious Interview

Contagious Interview has leveraged malware variants configured to dump credentials from the macOS keychain.[11][6][7]
S1153 Cuckoo Stealer

Cuckoo Stealer can capture files from a targeted user's keychain directory.[12]
S0363 Empire

Empire uses the command /usr/bin/security dump-keychain -d to read the keychain credential.[5]
S0690 Green Lambert

Green Lambert can use Keychain Services API functions to find and collect passwords, such as SecKeychainFindInternetPassword and SecKeychainItemCopyAttributesAndData.[13][14]

S0278 iKitten

iKitten collects the keychains on the system.[15]
S0349 LaZagne

LaZagne can obtain credentials from macOS Keychains.[16]

S1185 LightSpy

LightSpy performs an in-memory keychain query via SecItemCopyMatching() then formats the retrieved data as a JSON blob for exfiltration.[17]
S1016 MacMa

MacMa can dump credentials from the macOS keychain.[18]
S0279 Proton

Proton gathers credentials in files for keychains.[15]

Mitigations

ID Mitigation Description
M1027 Password Policies

The password for the user's login keychain can be changed from the user's login password. This increases the complexity for an adversary because they need to know an additional password.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0396 Detect Access to macOS Keychain for Credential Theft AN1112

Detects suspicious access to macOS Keychain files and APIs. Observes processes invoking the 'security' utility or accessing Keychain databases directly, correlates these with abnormal parent process lineage or unexpected user context. Monitors attempts to dump, unlock, or read credential storage beyond normal application workflows.

References

  1. Apple. (n.d.). Keychain Services. Retrieved April 11, 2022.
  2. Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption. Retrieved April 13, 2022.
  3. Jan Schaumann. (2015, November 5). Using the OS X Keychain to store and retrieve passwords. Retrieved March 31, 2022.
  4. Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to DA, the OS X Way. Retrieved September 12, 2024.
  5. Empire. (2018, March 8). Empire keychaindump_decrypt Module. Retrieved April 14, 2022.
  6. Kirill Boychenko. (2025, July 14). Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader. Retrieved October 19, 2025.
  7. Kirill Boychenko. (2025, June 25). Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages. Retrieved October 19, 2025.
  8. Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025.
  9. Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.
  1. Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018.
  2. Amaury G., Coline Chavane, Felix Aimé and Sekoia TDR. (2025, March 31). From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic. Retrieved April 1, 2025.
  3. Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024.
  4. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.
  5. Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved November 17, 2024.
  6. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  7. Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.
  8. Stuart Ashenbrenner, Alden Schmidt. (2024, April 25). LightSpy Malware Variant Targeting macOS. Retrieved January 3, 2025.
  9. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.