This detection rule monitors for potential credential access activities specifically targeting the Keychain password store on macOS systems. It identifies the use of the 'security' command-line tool, which is commonly used to access and manage Keychain items. The rule consists of two selections: the first selection detects attempts to find certificates in the Keychain or export data using specific command-line parameters, while the second selection focuses on the execution of commands related to dumping or accessing the login Keychain. An alert is triggered if any of these selection conditions are met, indicating a possible malicious activity since such actions are often associated with credential dumping tactics employed by attackers. False positives may arise from legitimate administrative activities where authorized users access Keychain data for valid purposes. This rule is particularly significant in the context of attack technique T1555.001, which pertains to credential access through password stores.