Detect Securityd Memory in Microsoft Sentinel
An adversary with root access may gather credentials by reading securityd's memory. securityd is a macOS service/daemon responsible for implementing security protocols such as encryption and authorization. A privileged adversary may scan through securityd's memory to find the correct sequence of keys to decrypt the user's logon keychain, yielding various plaintext passwords including user accounts, WiFi, mail, browsers, certificates, and secure notes. In OS X prior to El Capitan, users with root access could read plaintext keychain passwords of logged-in users because Apple's keychain implementation cached these credentials in securityd memory.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1555 Credentials from Password Stores
- Sub-technique
- T1555.002 Securityd Memory
- Canonical reference
- https://attack.mitre.org/techniques/T1555/002/
KQL Detection Query
let SuspiciousProcesses = dynamic(["keychaindump", "chainbreaker", "keychain-dumper", "kcpassword"]);
let MemoryAccessPatterns = dynamic(["securityd", "vmmap securityd", "lldb -p", "dtrace -p", "heap securityd", "sample securityd"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (SuspiciousProcesses)
or ProcessCommandLine has_any (SuspiciousProcesses)
or ProcessCommandLine has_any (MemoryAccessPatterns)
or (FileName in~ ("vmmap", "lldb", "dtrace", "heap", "sample", "leaks") and ProcessCommandLine has "securityd")
| extend MemoryDumpTool = FileName has_any ("vmmap", "lldb", "dtrace", "heap", "sample", "leaks")
| extend KeychainDumpTool = FileName has_any (SuspiciousProcesses) or ProcessCommandLine has_any (SuspiciousProcesses)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
MemoryDumpTool, KeychainDumpTool
| sort by Timestamp descDetects attempts to read securityd process memory on macOS to extract Keychain master keys and cached credentials. Monitors for known Keychain memory dump tools (keychaindump, chainbreaker) and macOS debugging/memory analysis tools (vmmap, lldb, dtrace, heap, sample) targeting the securityd daemon. This technique requires root access and is primarily effective on older macOS versions (pre-El Capitan).
Data Sources
Required Tables
False Positives & Tuning
- Apple engineers or macOS kernel developers debugging securityd during development
- Security researchers analyzing securityd behavior in controlled lab environments
- macOS diagnostic tools automatically sampling securityd during crash reporting
Other platforms for T1555.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Run keychaindump to extract credentials from securityd memory
Expected signal: macOS Unified Log: process execution for keychaindump with root privileges. ESF process_exec and task_for_pid events. If SIP is enabled, the command will fail with a permission error — but the attempt is still logged.
- Test 2Attach debugger to securityd process
Expected signal: macOS Unified Log: lldb process creation with securityd PID argument. ESF task_for_pid event from lldb to securityd. If SIP is enabled, lldb will be denied attachment.
- Test 3Map securityd virtual memory with vmmap
Expected signal: macOS Unified Log: vmmap process creation with securityd PID. ESF process execution event. The vmmap output reveals memory layout but does not extract credentials directly.
References (6)
- https://attack.mitre.org/techniques/T1555/002/
- https://web.archive.org/web/20130106164109/https://juusosalonen.com/post/30923743427/breaking-into-the-os-x-keychain
- https://developer.apple.com/library/archive/documentation/Security/Conceptual/Security_Overview/Architecture/Architecture.html
- https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/
- https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.002/T1555.002.md
Unlock Pro Content
Get the full detection package for T1555.002 including response playbook, investigation guide, and atomic red team tests.