MAC-KEYCHAIN-DUMPCredential Access

macOS Keychain Dump

security dump-keychain -d login.keychain — user prompts for each item, but ChainBreaker / LockSmith / Keychaindump scripts brute the master password.

§ Where this technique fits

MAC-KEYCHAIN-DUMP is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 3 on average.

§ Dossiers chaining this technique

User foothold → keychain dump → cloud creds
Standard user shell on macOS. Brute the login.keychain master via ChainBreaker / a keylogged password; dump all entries — Safari saved creds, AWS keys, Slack tokens, SSO cookies.
step 3 / 5

§ What commonly comes next

01
Unsecured Credentials
T1552 · Credential Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

User foothold → keychain dump → cloud creds

§ What commonly comes next