T1555.002 Google Chronicle · YARA-L

Detect Securityd Memory in Google Chronicle

An adversary with root access may gather credentials by reading securityd's memory. securityd is a macOS service/daemon responsible for implementing security protocols such as encryption and authorization. A privileged adversary may scan through securityd's memory to find the correct sequence of keys to decrypt the user's logon keychain, yielding various plaintext passwords including user accounts, WiFi, mail, browsers, certificates, and secure notes. In OS X prior to El Capitan, users with root access could read plaintext keychain passwords of logged-in users because Apple's keychain implementation cached these credentials in securityd memory.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1555 Credentials from Password Stores
Sub-technique
T1555.002 Securityd Memory
Canonical reference
https://attack.mitre.org/techniques/T1555/002/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1555_002_securityd_memory_credential_theft {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects credential theft via securityd memory access on macOS (MITRE ATT&CK T1555.002). Identifies known keychain dumping tools and memory inspection utilities targeting the securityd process, including task_for_pid calls that obtain a Mach task port for direct memory reads."
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1555.002"
    severity = "CRITICAL"
    confidence = "HIGH"
    created = "2026-04-13"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.asset.platform_software.platform = "MAC"
    (
      re.regex($e.target.process.file.full_path, `(?i)(keychaindump|chainbreaker|keychain-dumper|kcpassword)`) or
      re.regex($e.target.process.command_line, `(?i)(keychaindump|chainbreaker|keychain-dumper|kcpassword)`) or
      (
        re.regex($e.target.process.file.full_path, `(?i)/(vmmap|lldb|dtrace|heap|sample|leaks|gdb)$`) and
        re.regex($e.target.process.command_line, `(?i)securityd`)
      ) or
      re.regex($e.target.process.command_line, `(?i)task_for_pid.{0,64}securityd`)
    )

  condition:
    $e
}
critical severity high confidence

Chronicle YARA-L 2.0 rule detecting macOS securityd memory access for credential theft (T1555.002). Scoped to MAC platform assets via UDM principal.asset.platform_software.platform. Matches PROCESS_LAUNCH events where the target process is a known keychain dump tool, a memory inspection binary with securityd in its command line, or any process invoking task_for_pid against securityd. All pattern matching is case-insensitive via re.regex.

Data Sources

Google Chronicle UDMCrowdStrike Falcon via Chronicle ingestionCarbon Black Cloud via Chronicle ingestionmacOS Endpoint telemetry via Chronicle forwarder

Required Tables

PROCESS_LAUNCH UDM events

False Positives & Tuning

  • Authorized red team operators conducting macOS-targeted assessments using keychain dump utilities against in-scope systems under a signed statement of work
  • macOS platform security engineers using dtrace or lldb with securityd as a target in isolated research environments or on personal test machines enrolled in an exception policy
  • Legitimate memory analysis or crash-reporting integrations invoked by endpoint management agents that reference securityd within their command arguments as part of automated diagnostics
Download portable Sigma rule (.yml)

Other platforms for T1555.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Run keychaindump to extract credentials from securityd memory

    Expected signal: macOS Unified Log: process execution for keychaindump with root privileges. ESF process_exec and task_for_pid events. If SIP is enabled, the command will fail with a permission error — but the attempt is still logged.

  2. Test 2Attach debugger to securityd process

    Expected signal: macOS Unified Log: lldb process creation with securityd PID argument. ESF task_for_pid event from lldb to securityd. If SIP is enabled, lldb will be denied attachment.

  3. Test 3Map securityd virtual memory with vmmap

    Expected signal: macOS Unified Log: vmmap process creation with securityd PID. ESF process execution event. The vmmap output reveals memory layout but does not extract credentials directly.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1555.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1555Credentials from Password Stores

Related Sub-techniques

T1555.001KeychainT1555.003Credentials from Web BrowsersT1555.004Windows Credential ManagerT1555.005Password ManagersT1555.006Cloud Secrets Management Stores

Related Techniques

T1555Credentials from Password StoresT1555.001KeychainT1003OS Credential DumpingT1003.007Proc FilesystemT1068Exploitation for Privilege EscalationT1553.006Code Signing Policy Modification

Same Tactic: Credential Access

Popular Detections