This detection rule targets unauthorized access to macOS keychain directories, an area of potential interest for adversaries looking to extract sensitive user credentials. Keychains in macOS securely store various credentials including passwords and certificates. The rule is implemented using EQL (Event Query Language) to monitor processes that access keychain directories while filtering out known legitimate processes. Alerts are generated based on specific conditions that may indicate malicious activity, such as the invocation of certain command-line arguments that are not related to normal keychain management functions. Investigation guidelines are provided to help analysts understand and evaluate alert triggers, including steps to ascertain process legitimacy and the origin of the access attempts. Contextual responses and recommended remediations are outlined to address suspicious activity effectively, reinforcing the importance of maintaining system integrity against credential theft attacks.