T1555.002 Securityd Memory Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousProcesses = dynamic(["keychaindump", "chainbreaker", "keychain-dumper", "kcpassword"]);
let MemoryAccessPatterns = dynamic(["securityd", "vmmap securityd", "lldb -p", "dtrace -p", "heap securityd", "sample securityd"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (SuspiciousProcesses)
    or ProcessCommandLine has_any (SuspiciousProcesses)
    or ProcessCommandLine has_any (MemoryAccessPatterns)
    or (FileName in~ ("vmmap", "lldb", "dtrace", "heap", "sample", "leaks") and ProcessCommandLine has "securityd")
| extend MemoryDumpTool = FileName has_any ("vmmap", "lldb", "dtrace", "heap", "sample", "leaks")
| extend KeychainDumpTool = FileName has_any (SuspiciousProcesses) or ProcessCommandLine has_any (SuspiciousProcesses)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         MemoryDumpTool, KeychainDumpTool
| sort by Timestamp desc

critical severity high confidence

Data Sources

Process: Process Creation Process: Process Access Command: Command Execution

Required Tables

DeviceProcessEvents

False Positives

Apple engineers or macOS kernel developers debugging securityd during development
Security researchers analyzing securityd behavior in controlled lab environments
macOS diagnostic tools automatically sampling securityd during crash reporting

Splunk

spl

index=osxlog sourcetype="syslog" OR sourcetype="osquery:results"
  ("keychaindump" OR "chainbreaker" OR "keychain-dumper" OR "kcpassword")
  OR ("securityd" AND ("vmmap" OR "lldb" OR "dtrace" OR "heap" OR "sample" OR "leaks" OR "gdb"))
  OR ("task_for_pid" AND "securityd")
| eval CommandLine=coalesce(cmdline, columns.cmdline, _raw)
| eval KeychainDumpTool=if(match(CommandLine, "(?i)(keychaindump|chainbreaker|keychain-dumper|kcpassword)"), 1, 0)
| eval MemoryAccessTool=if(match(CommandLine, "(?i)(vmmap|lldb|dtrace|heap|sample|leaks|gdb).*securityd"), 1, 0)
| eval TaskForPid=if(match(CommandLine, "task_for_pid.*securityd"), 1, 0)
| eval SuspicionScore=KeychainDumpTool*3 + MemoryAccessTool*2 + TaskForPid*2
| where SuspicionScore > 0
| table _time, host, user, CommandLine, KeychainDumpTool, MemoryAccessTool, TaskForPid, SuspicionScore
| sort - _time

critical severity high confidence

Data Sources

Process: Process Creation Process: Process Access macOS Unified Log / Syslog

Required Sourcetypes

syslog osquery:results

False Positives

Apple engineers or macOS kernel developers debugging securityd during development
Security researchers analyzing securityd behavior in controlled lab environments
macOS crash reporter automatically sampling securityd during system diagnostics

Elastic Security (EQL)

eql

process where host.os.type == "macos" and (
  process.name in ("keychaindump", "chainbreaker", "keychain-dumper", "kcpassword") or
  process.command_line : ("*keychaindump*", "*chainbreaker*", "*keychain-dumper*", "*kcpassword*") or
  (
    process.name in ("vmmap", "lldb", "dtrace", "heap", "sample", "leaks", "gdb") and
    process.args : "securityd"
  ) or
  (
    process.command_line : "*securityd*" and
    process.command_line : ("*vmmap*", "*lldb*", "*dtrace*", "*heap*", "*sample*", "*leaks*", "*gdb*")
  ) or
  process.command_line : "*task_for_pid*securityd*"
)

critical severity high confidence

Data Sources

Elastic Endpoint Security Auditbeat (macOS) Elastic Agent macOS process telemetry

Required Tables

logs-endpoint.events.process-* auditbeat-*

False Positives

Authorized penetration testers or red teamers running keychain assessment tools on macOS under a signed rules of engagement document
macOS developers or platform engineers using lldb or dtrace to inspect system processes including securityd for legitimate crash analysis or security research in isolated lab environments
Automated macOS diagnostic or crash-reporting pipelines invoked by endpoint management agents (Jamf, Mosyle) that call heap, vmmap, or sample against system daemons for performance profiling

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS SourceIP,
  username AS Username,
  "process" AS ProcessName,
  "cmdline" AS CommandLine,
  CASE
    WHEN LOWER("cmdline") MATCHES '(keychaindump|chainbreaker|keychain-dumper|kcpassword)'
      OR LOWER("process") MATCHES '(keychaindump|chainbreaker|keychain-dumper|kcpassword)' THEN 3
    ELSE 0
  END +
  CASE
    WHEN LOWER("cmdline") MATCHES '(vmmap|lldb|dtrace|heap|sample|leaks|gdb)'
      AND LOWER("cmdline") MATCHES 'securityd' THEN 2
    ELSE 0
  END +
  CASE
    WHEN LOWER("cmdline") MATCHES 'task_for_pid'
      AND LOWER("cmdline") MATCHES 'securityd' THEN 2
    ELSE 0
  END AS SuspicionScore
FROM events
WHERE (
  LOGSOURCETYPENAME(devicetype) ILIKE '%syslog%'
  OR LOGSOURCETYPENAME(devicetype) ILIKE '%osquery%'
  OR LOGSOURCETYPENAME(devicetype) ILIKE '%mac%'
  OR LOGSOURCETYPENAME(devicetype) ILIKE '%jamf%'
)
AND (
  LOWER("cmdline") MATCHES '(keychaindump|chainbreaker|keychain-dumper|kcpassword)'
  OR LOWER("process") MATCHES '(keychaindump|chainbreaker|keychain-dumper|kcpassword)'
  OR (
    LOWER("cmdline") MATCHES 'securityd'
    AND LOWER("cmdline") MATCHES '(vmmap|lldb|dtrace|heap|sample|leaks|gdb)'
  )
  OR (
    LOWER("cmdline") MATCHES 'task_for_pid'
    AND LOWER("cmdline") MATCHES 'securityd'
  )
)
AND SuspicionScore > 0
AND devicetime > NOW() - 86400000
ORDER BY SuspicionScore DESC, devicetime DESC

critical severity medium confidence

Data Sources

IBM QRadar SIEM macOS syslog osquery Universal Log Source Jamf Pro log forwarding

Required Tables

events

False Positives

Authorized penetration testers performing macOS keychain assessments with tools such as chainbreaker under documented engagement rules logged through the same syslog sources
macOS developers using lldb to attach to system processes including securityd for crash debugging or exploit research in sanctioned development environments
IT operations staff executing dtrace-based diagnostic scripts that reference securityd as a target process as part of performance troubleshooting runbooks

Sumo Logic CSE

sql

(_sourceCategory=*mac* OR _sourceCategory=*osquery* OR _sourceCategory=*syslog* OR _sourceCategory=*endpoint*)
| where (
    toLowerCase(%process_name) in ("keychaindump", "chainbreaker", "keychain-dumper", "kcpassword")
    or toLowerCase(%cmdline) matches "(?s).*(keychaindump|chainbreaker|keychain-dumper|kcpassword).*"
    or (
      toLowerCase(%process_name) in ("vmmap", "lldb", "dtrace", "heap", "sample", "leaks", "gdb")
      and toLowerCase(%cmdline) matches "(?s).*securityd.*"
    )
    or (
      toLowerCase(%cmdline) matches "(?s).*task_for_pid.*"
      and toLowerCase(%cmdline) matches "(?s).*securityd.*"
    )
  )
| eval KeychainDumpTool = if (toLowerCase(%cmdline) matches "(?s).*(keychaindump|chainbreaker|keychain-dumper|kcpassword).*"
    or toLowerCase(%process_name) in ("keychaindump", "chainbreaker", "keychain-dumper", "kcpassword"), 1, 0)
| eval MemoryAccessTool = if (
    toLowerCase(%process_name) in ("vmmap", "lldb", "dtrace", "heap", "sample", "leaks", "gdb")
    and toLowerCase(%cmdline) matches "(?s).*securityd.*", 1, 0)
| eval TaskForPid = if (
    toLowerCase(%cmdline) matches "(?s).*task_for_pid.*"
    and toLowerCase(%cmdline) matches "(?s).*securityd.*", 1, 0)
| eval SuspicionScore = (KeychainDumpTool * 3) + (MemoryAccessTool * 2) + (TaskForPid * 2)
| where SuspicionScore > 0
| fields _messagetime, _sourceHost, %user, %process_name, %cmdline, KeychainDumpTool, MemoryAccessTool, TaskForPid, SuspicionScore
| sort by SuspicionScore desc, _messagetime desc

critical severity medium confidence

Data Sources

Sumo Logic CSE macOS syslog forwarding osquery CrowdStrike Falcon via Sumo Logic Carbon Black via Sumo Logic

Required Tables

_sourceCategory=*mac* _sourceCategory=*osquery* _sourceCategory=*syslog* _sourceCategory=*endpoint*

False Positives

Security team members conducting sanctioned macOS forensic investigations using chainbreaker or keychain-dumper against seized or test endpoints under documented authorization
macOS software developers using lldb in debugging sessions where securityd appears in argument lists as part of inter-process debugging workflows on development machines
Endpoint management platforms (Jamf, Mosyle) that trigger heap or vmmap diagnostics against macOS system daemons including securityd as part of automated health-check or crash-collection pipelines

Google Chronicle / SecOps

yaral

rule t1555_002_securityd_memory_credential_theft {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects credential theft via securityd memory access on macOS (MITRE ATT&CK T1555.002). Identifies known keychain dumping tools and memory inspection utilities targeting the securityd process, including task_for_pid calls that obtain a Mach task port for direct memory reads."
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1555.002"
    severity = "CRITICAL"
    confidence = "HIGH"
    created = "2026-04-13"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.asset.platform_software.platform = "MAC"
    (
      re.regex($e.target.process.file.full_path, `(?i)(keychaindump|chainbreaker|keychain-dumper|kcpassword)`) or
      re.regex($e.target.process.command_line, `(?i)(keychaindump|chainbreaker|keychain-dumper|kcpassword)`) or
      (
        re.regex($e.target.process.file.full_path, `(?i)/(vmmap|lldb|dtrace|heap|sample|leaks|gdb)$`) and
        re.regex($e.target.process.command_line, `(?i)securityd`)
      ) or
      re.regex($e.target.process.command_line, `(?i)task_for_pid.{0,64}securityd`)
    )

  condition:
    $e
}

critical severity high confidence

Data Sources

Google Chronicle UDM CrowdStrike Falcon via Chronicle ingestion Carbon Black Cloud via Chronicle ingestion macOS Endpoint telemetry via Chronicle forwarder

Required Tables

PROCESS_LAUNCH UDM events

False Positives

Authorized red team operators conducting macOS-targeted assessments using keychain dump utilities against in-scope systems under a signed statement of work
macOS platform security engineers using dtrace or lldb with securityd as a target in isolated research environments or on personal test machines enrolled in an exception policy
Legitimate memory analysis or crash-reporting integrations invoked by endpoint management agents that reference securityd within their command arguments as part of automated diagnostics

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| FileName = /keychaindump|chainbreaker|keychain-dumper|kcpassword/i
  OR CommandLine = /keychaindump|chainbreaker|keychain-dumper|kcpassword/i
  OR (FileName = /^(vmmap|lldb|dtrace|heap|sample|leaks|gdb)$/i AND CommandLine = /securityd/i)
  OR CommandLine = /task_for_pid.{0,64}securityd/i
| KeychainDumpTool := if(
    FileName = /keychaindump|chainbreaker|keychain-dumper|kcpassword/i
    OR CommandLine = /keychaindump|chainbreaker|keychain-dumper|kcpassword/i,
    1, 0)
| MemoryAccessTool := if(
    FileName = /^(vmmap|lldb|dtrace|heap|sample|leaks|gdb)$/i
    AND CommandLine = /securityd/i,
    1, 0)
| TaskForPid := if(
    CommandLine = /task_for_pid.{0,64}securityd/i,
    1, 0)
| SuspicionScore := KeychainDumpTool * 3 + MemoryAccessTool * 2 + TaskForPid * 2
| SuspicionScore > 0
| groupBy(
    [ComputerName, UserName, FileName, CommandLine, KeychainDumpTool, MemoryAccessTool, TaskForPid, SuspicionScore],
    function=[count(as=EventCount), max(@timestamp, as=LastSeen)]
  )
| sort(SuspicionScore, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon EDR Falcon ProcessRollup2 telemetry

Required Tables

ProcessRollup2

False Positives

CrowdStrike Falcon Real Time Response (RTR) sessions where analysts invoke memory inspection tools such as vmmap or heap against securityd as part of host-based forensic collection during an incident
macOS developers or security researchers running lldb debugging sessions on corporate endpoints where securityd is referenced as a target or appears in argument lists during inter-process debugging
Authorized penetration testing tools pre-approved in Falcon sensor exclusions that happen to match keychain dump tool names or memory inspection patterns against macOS test systems

Securityd Memory

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections