Detects macOS Keychain credential dumping by monitoring command-line and file access patterns that target Keychain stores. Adversaries may use built-in utilities (for example, dump-keychain -d) or direct file access to plaintext credentials from Keychain databases located in ~/Library/Keychains/ or /Library/Keychains/. The rule leverages osquery-derived Endpoint.Processes data to identify suspicious activity, flagging processes that invoke dump-keychain, keychaindump, or access paths like /Library/Keychains* and ~/Library/Keychains*. It aggregates context such as destination, original_file_name, and process details to reveal which user initiated the action and on which host/process. The technique corresponds to MITRE ATT&CK T1555.001 (Credentials In Keychains). Known false positives include legitimate administrative or troubleshooting tasks that access the Keychain. Operational deployment requires OSQuery data (via the TA-OSquery) to populate the Endpoint.Processes data model. The rule supports per-user and per-destination drilldowns and can be correlated with risk events to assess impact. Recommended mitigations include enforcing least-privilege access to Keychains, monitoring for unusual dump-keychain usage, and excluding authorized admin workflows to reduce noise. References point to OSQuery process auditing guidance and related Keychain settings. This rule serves as a safeguard against post-exploitation credential harvesting on macOS endpoints.