MITRE ATT&CK Technique
Description
Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos. Keychain files are located in <code>~/Library/Keychains/</code>,<code>/Library/Keychains/</code>, and <code>/Network/Library/Keychains/</code>. (Citation: Wikipedia keychain) The <code>security</code> command-line utility, which is built into macOS by default, provides a useful way to manage these credentials. To manage their credentials, users have to use additional credentials to access their keychain. If an adversary knows the credentials for the login keychain, then they can get access to all the other credentials stored in this vault. (Citation: External to DA, the OS X Way) By default, the passphrase for the keychain is the user’s logon credentials.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-12-14T16:46:06.044Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Keychains are the built-in way for macOS to keep track of '
"users' passwords and credentials for many services and "
'features such as WiFi passwords, websites, secure notes, '
'certificates, and Kerberos. Keychain files are located in '
'<code>~/Library/Keychains/</code>,<code>/Library/Keychains/</code>, '
'and <code>/Network/Library/Keychains/</code>. (Citation: '
'Wikipedia keychain) The <code>security</code> command-line '
'utility, which is built into macOS by default, provides a '
'useful way to manage these credentials.\n'
'\n'
'To manage their credentials, users have to use additional '
'credentials to access their keychain. If an adversary knows '
'the credentials for the login keychain, then they can get '
'access to all the other credentials stored in this vault. '
'(Citation: External to DA, the OS X Way) By default, the '
'passphrase for the keychain is the user’s logon credentials.',
'external_references': [{'external_id': 'T1142',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1142'},
{'description': 'Wikipedia. (n.d.). Keychain '
'(software). Retrieved July 5, 2017.',
'source_name': 'Wikipedia keychain',
'url': 'https://en.wikipedia.org/wiki/Keychain_(software)'},
{'description': 'Alex Rymdeko-Harvey, Steve Borosh. '
'(2016, May 14). External to DA, the '
'OS X Way. Retrieved July 3, 2017.',
'source_name': 'External to DA, the OS X Way',
'url': 'http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way'}],
'id': 'attack-pattern--9e09ddb2-1746-4448-9cad-7f8b41777d6d',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'credential-access'}],
'modified': '2025-10-24T17:49:09.306Z',
'name': 'Keychain',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['macOS'],
'x_mitre_version': '1.1'}