T1555.002 CrowdStrike LogScale · LogScale

Detect Securityd Memory in CrowdStrike LogScale

An adversary with root access may gather credentials by reading securityd's memory. securityd is a macOS service/daemon responsible for implementing security protocols such as encryption and authorization. A privileged adversary may scan through securityd's memory to find the correct sequence of keys to decrypt the user's logon keychain, yielding various plaintext passwords including user accounts, WiFi, mail, browsers, certificates, and secure notes. In OS X prior to El Capitan, users with root access could read plaintext keychain passwords of logged-in users because Apple's keychain implementation cached these credentials in securityd memory.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1555 Credentials from Password Stores
Sub-technique
T1555.002 Securityd Memory
Canonical reference
https://attack.mitre.org/techniques/T1555/002/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName = "ProcessRollup2"
| FileName = /keychaindump|chainbreaker|keychain-dumper|kcpassword/i
  OR CommandLine = /keychaindump|chainbreaker|keychain-dumper|kcpassword/i
  OR (FileName = /^(vmmap|lldb|dtrace|heap|sample|leaks|gdb)$/i AND CommandLine = /securityd/i)
  OR CommandLine = /task_for_pid.{0,64}securityd/i
| KeychainDumpTool := if(
    FileName = /keychaindump|chainbreaker|keychain-dumper|kcpassword/i
    OR CommandLine = /keychaindump|chainbreaker|keychain-dumper|kcpassword/i,
    1, 0)
| MemoryAccessTool := if(
    FileName = /^(vmmap|lldb|dtrace|heap|sample|leaks|gdb)$/i
    AND CommandLine = /securityd/i,
    1, 0)
| TaskForPid := if(
    CommandLine = /task_for_pid.{0,64}securityd/i,
    1, 0)
| SuspicionScore := KeychainDumpTool * 3 + MemoryAccessTool * 2 + TaskForPid * 2
| SuspicionScore > 0
| groupBy(
    [ComputerName, UserName, FileName, CommandLine, KeychainDumpTool, MemoryAccessTool, TaskForPid, SuspicionScore],
    function=[count(as=EventCount), max(@timestamp, as=LastSeen)]
  )
| sort(SuspicionScore, order=desc)
critical severity high confidence

CrowdStrike LogScale (Falcon) CQL query detecting macOS securityd memory access for credential theft (T1555.002). Queries ProcessRollup2 events for known keychain dump tool names and command line patterns, memory inspection utilities when securityd appears as an argument, and task_for_pid invocations targeting securityd. Applies weighted suspicion scoring (keychain tools 3, memory tools and task_for_pid 2 each) and groups results by host and user to surface repeat activity and prioritise triage.

Data Sources

CrowdStrike Falcon EDRFalcon ProcessRollup2 telemetry

Required Tables

ProcessRollup2

False Positives & Tuning

  • CrowdStrike Falcon Real Time Response (RTR) sessions where analysts invoke memory inspection tools such as vmmap or heap against securityd as part of host-based forensic collection during an incident
  • macOS developers or security researchers running lldb debugging sessions on corporate endpoints where securityd is referenced as a target or appears in argument lists during inter-process debugging
  • Authorized penetration testing tools pre-approved in Falcon sensor exclusions that happen to match keychain dump tool names or memory inspection patterns against macOS test systems
Download portable Sigma rule (.yml)

Other platforms for T1555.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Run keychaindump to extract credentials from securityd memory

    Expected signal: macOS Unified Log: process execution for keychaindump with root privileges. ESF process_exec and task_for_pid events. If SIP is enabled, the command will fail with a permission error — but the attempt is still logged.

  2. Test 2Attach debugger to securityd process

    Expected signal: macOS Unified Log: lldb process creation with securityd PID argument. ESF task_for_pid event from lldb to securityd. If SIP is enabled, lldb will be denied attachment.

  3. Test 3Map securityd virtual memory with vmmap

    Expected signal: macOS Unified Log: vmmap process creation with securityd PID. ESF process execution event. The vmmap output reveals memory layout but does not extract credentials directly.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1555.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1555Credentials from Password Stores

Related Sub-techniques

T1555.001KeychainT1555.003Credentials from Web BrowsersT1555.004Windows Credential ManagerT1555.005Password ManagersT1555.006Cloud Secrets Management Stores

Related Techniques

T1555Credentials from Password StoresT1555.001KeychainT1003OS Credential DumpingT1003.007Proc FilesystemT1068Exploitation for Privilege EscalationT1553.006Code Signing Policy Modification

Same Tactic: Credential Access

Popular Detections