This detection rule identifies potentially malicious access to macOS keychain storage via command line. Keychains securely manage user credentials, including passwords and certificates, and are critical to macOS security. Adversaries may exploit command-line tools to access sensitive keychain data. The rule focuses specifically on process activities that attempt to access SystemKey paths, excluding legitimate calls from trusted processes. With a risk score of 73, this high-severity rule utilizes the Elastic query language to detect unauthorized attempts to read keychain data while integrating with Elastic Defend for data collection. Investigation and response steps are outlined to ensure comprehensive handling of detected threats. Possible false positives, particularly from legitimate processes or administrative tools, are also addressed, emphasizing the need for careful analysis during incident response.