This detection rule is designed to identify attempts by adversaries to access or export credentials from the macOS Keychain, a secured storage system used for managing sensitive information such as passwords, private keys, and certificates. The rule triggers when specific processes related to the command-line utilities for interacting with Keychain, particularly the 'security' command, are executed through common Unix shells like zsh, bash, or sh. The logic captures events occurring within the last two hours and matches patterns that indicate usage of the 'security' command in conjunction with functions like 'find-certificate' or actions related to dumping or exporting keychain data. By monitoring these processes, the rule helps mitigate risks associated with credential theft and provides coverage for technique T1555.001, which highlights the exploitation of password stores, specifically macOS Keychain.