Detect Securityd Memory in IBM QRadar
An adversary with root access may gather credentials by reading securityd's memory. securityd is a macOS service/daemon responsible for implementing security protocols such as encryption and authorization. A privileged adversary may scan through securityd's memory to find the correct sequence of keys to decrypt the user's logon keychain, yielding various plaintext passwords including user accounts, WiFi, mail, browsers, certificates, and secure notes. In OS X prior to El Capitan, users with root access could read plaintext keychain passwords of logged-in users because Apple's keychain implementation cached these credentials in securityd memory.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1555 Credentials from Password Stores
- Sub-technique
- T1555.002 Securityd Memory
- Canonical reference
- https://attack.mitre.org/techniques/T1555/002/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
LOGSOURCENAME(logsourceid) AS LogSource,
sourceip AS SourceIP,
username AS Username,
"process" AS ProcessName,
"cmdline" AS CommandLine,
CASE
WHEN LOWER("cmdline") MATCHES '(keychaindump|chainbreaker|keychain-dumper|kcpassword)'
OR LOWER("process") MATCHES '(keychaindump|chainbreaker|keychain-dumper|kcpassword)' THEN 3
ELSE 0
END +
CASE
WHEN LOWER("cmdline") MATCHES '(vmmap|lldb|dtrace|heap|sample|leaks|gdb)'
AND LOWER("cmdline") MATCHES 'securityd' THEN 2
ELSE 0
END +
CASE
WHEN LOWER("cmdline") MATCHES 'task_for_pid'
AND LOWER("cmdline") MATCHES 'securityd' THEN 2
ELSE 0
END AS SuspicionScore
FROM events
WHERE (
LOGSOURCETYPENAME(devicetype) ILIKE '%syslog%'
OR LOGSOURCETYPENAME(devicetype) ILIKE '%osquery%'
OR LOGSOURCETYPENAME(devicetype) ILIKE '%mac%'
OR LOGSOURCETYPENAME(devicetype) ILIKE '%jamf%'
)
AND (
LOWER("cmdline") MATCHES '(keychaindump|chainbreaker|keychain-dumper|kcpassword)'
OR LOWER("process") MATCHES '(keychaindump|chainbreaker|keychain-dumper|kcpassword)'
OR (
LOWER("cmdline") MATCHES 'securityd'
AND LOWER("cmdline") MATCHES '(vmmap|lldb|dtrace|heap|sample|leaks|gdb)'
)
OR (
LOWER("cmdline") MATCHES 'task_for_pid'
AND LOWER("cmdline") MATCHES 'securityd'
)
)
AND SuspicionScore > 0
AND devicetime > NOW() - 86400000
ORDER BY SuspicionScore DESC, devicetime DESCQRadar AQL query detecting macOS securityd memory access for keychain credential theft (T1555.002). Sources macOS syslog, osquery, and Jamf log sources. Scores each event by indicator type: known keychain dump tool names or command lines score 3, memory inspection tools targeting securityd score 2, task_for_pid calls against securityd score 2. Only events with a positive suspicion score are returned, ordered by score descending.
Data Sources
Required Tables
False Positives & Tuning
- Authorized penetration testers performing macOS keychain assessments with tools such as chainbreaker under documented engagement rules logged through the same syslog sources
- macOS developers using lldb to attach to system processes including securityd for crash debugging or exploit research in sanctioned development environments
- IT operations staff executing dtrace-based diagnostic scripts that reference securityd as a target process as part of performance troubleshooting runbooks
Other platforms for T1555.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Run keychaindump to extract credentials from securityd memory
Expected signal: macOS Unified Log: process execution for keychaindump with root privileges. ESF process_exec and task_for_pid events. If SIP is enabled, the command will fail with a permission error — but the attempt is still logged.
- Test 2Attach debugger to securityd process
Expected signal: macOS Unified Log: lldb process creation with securityd PID argument. ESF task_for_pid event from lldb to securityd. If SIP is enabled, lldb will be denied attachment.
- Test 3Map securityd virtual memory with vmmap
Expected signal: macOS Unified Log: vmmap process creation with securityd PID. ESF process execution event. The vmmap output reveals memory layout but does not extract credentials directly.
References (6)
- https://attack.mitre.org/techniques/T1555/002/
- https://web.archive.org/web/20130106164109/https://juusosalonen.com/post/30923743427/breaking-into-the-os-x-keychain
- https://developer.apple.com/library/archive/documentation/Security/Conceptual/Security_Overview/Architecture/Architecture.html
- https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/
- https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.002/T1555.002.md
Unlock Pro Content
Get the full detection package for T1555.002 including response playbook, investigation guide, and atomic red team tests.