Detect Securityd Memory in Elastic Security
An adversary with root access may gather credentials by reading securityd's memory. securityd is a macOS service/daemon responsible for implementing security protocols such as encryption and authorization. A privileged adversary may scan through securityd's memory to find the correct sequence of keys to decrypt the user's logon keychain, yielding various plaintext passwords including user accounts, WiFi, mail, browsers, certificates, and secure notes. In OS X prior to El Capitan, users with root access could read plaintext keychain passwords of logged-in users because Apple's keychain implementation cached these credentials in securityd memory.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1555 Credentials from Password Stores
- Sub-technique
- T1555.002 Securityd Memory
- Canonical reference
- https://attack.mitre.org/techniques/T1555/002/
Elastic Detection Query
process where host.os.type == "macos" and (
process.name in ("keychaindump", "chainbreaker", "keychain-dumper", "kcpassword") or
process.command_line : ("*keychaindump*", "*chainbreaker*", "*keychain-dumper*", "*kcpassword*") or
(
process.name in ("vmmap", "lldb", "dtrace", "heap", "sample", "leaks", "gdb") and
process.args : "securityd"
) or
(
process.command_line : "*securityd*" and
process.command_line : ("*vmmap*", "*lldb*", "*dtrace*", "*heap*", "*sample*", "*leaks*", "*gdb*")
) or
process.command_line : "*task_for_pid*securityd*"
)Detects credential theft from securityd memory on macOS via known keychain dumping tools (keychaindump, chainbreaker, keychain-dumper, kcpassword) or memory inspection utilities (vmmap, lldb, dtrace, heap, sample, leaks, gdb) invoked with securityd as a target. Also detects task_for_pid calls targeting securityd, which indicates an attempt to obtain a Mach task port for memory access. Covers MITRE ATT&CK T1555.002.
Data Sources
Required Tables
False Positives & Tuning
- Authorized penetration testers or red teamers running keychain assessment tools on macOS under a signed rules of engagement document
- macOS developers or platform engineers using lldb or dtrace to inspect system processes including securityd for legitimate crash analysis or security research in isolated lab environments
- Automated macOS diagnostic or crash-reporting pipelines invoked by endpoint management agents (Jamf, Mosyle) that call heap, vmmap, or sample against system daemons for performance profiling
Other platforms for T1555.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Run keychaindump to extract credentials from securityd memory
Expected signal: macOS Unified Log: process execution for keychaindump with root privileges. ESF process_exec and task_for_pid events. If SIP is enabled, the command will fail with a permission error — but the attempt is still logged.
- Test 2Attach debugger to securityd process
Expected signal: macOS Unified Log: lldb process creation with securityd PID argument. ESF task_for_pid event from lldb to securityd. If SIP is enabled, lldb will be denied attachment.
- Test 3Map securityd virtual memory with vmmap
Expected signal: macOS Unified Log: vmmap process creation with securityd PID. ESF process execution event. The vmmap output reveals memory layout but does not extract credentials directly.
References (6)
- https://attack.mitre.org/techniques/T1555/002/
- https://web.archive.org/web/20130106164109/https://juusosalonen.com/post/30923743427/breaking-into-the-os-x-keychain
- https://developer.apple.com/library/archive/documentation/Security/Conceptual/Security_Overview/Architecture/Architecture.html
- https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/
- https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.002/T1555.002.md
Unlock Pro Content
Get the full detection package for T1555.002 including response playbook, investigation guide, and atomic red team tests.