Detect Securityd Memory in Splunk
An adversary with root access may gather credentials by reading securityd's memory. securityd is a macOS service/daemon responsible for implementing security protocols such as encryption and authorization. A privileged adversary may scan through securityd's memory to find the correct sequence of keys to decrypt the user's logon keychain, yielding various plaintext passwords including user accounts, WiFi, mail, browsers, certificates, and secure notes. In OS X prior to El Capitan, users with root access could read plaintext keychain passwords of logged-in users because Apple's keychain implementation cached these credentials in securityd memory.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1555 Credentials from Password Stores
- Sub-technique
- T1555.002 Securityd Memory
- Canonical reference
- https://attack.mitre.org/techniques/T1555/002/
SPL Detection Query
index=osxlog sourcetype="syslog" OR sourcetype="osquery:results"
("keychaindump" OR "chainbreaker" OR "keychain-dumper" OR "kcpassword")
OR ("securityd" AND ("vmmap" OR "lldb" OR "dtrace" OR "heap" OR "sample" OR "leaks" OR "gdb"))
OR ("task_for_pid" AND "securityd")
| eval CommandLine=coalesce(cmdline, columns.cmdline, _raw)
| eval KeychainDumpTool=if(match(CommandLine, "(?i)(keychaindump|chainbreaker|keychain-dumper|kcpassword)"), 1, 0)
| eval MemoryAccessTool=if(match(CommandLine, "(?i)(vmmap|lldb|dtrace|heap|sample|leaks|gdb).*securityd"), 1, 0)
| eval TaskForPid=if(match(CommandLine, "task_for_pid.*securityd"), 1, 0)
| eval SuspicionScore=KeychainDumpTool*3 + MemoryAccessTool*2 + TaskForPid*2
| where SuspicionScore > 0
| table _time, host, user, CommandLine, KeychainDumpTool, MemoryAccessTool, TaskForPid, SuspicionScore
| sort - _timeDetects securityd memory access attempts using macOS syslog and osquery. Identifies dedicated Keychain memory dump tools and debugging utilities targeting the securityd daemon. The task_for_pid Mach call is required to attach to securityd — its use is a strong indicator of memory-based credential extraction.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Apple engineers or macOS kernel developers debugging securityd during development
- Security researchers analyzing securityd behavior in controlled lab environments
- macOS crash reporter automatically sampling securityd during system diagnostics
Other platforms for T1555.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Run keychaindump to extract credentials from securityd memory
Expected signal: macOS Unified Log: process execution for keychaindump with root privileges. ESF process_exec and task_for_pid events. If SIP is enabled, the command will fail with a permission error — but the attempt is still logged.
- Test 2Attach debugger to securityd process
Expected signal: macOS Unified Log: lldb process creation with securityd PID argument. ESF task_for_pid event from lldb to securityd. If SIP is enabled, lldb will be denied attachment.
- Test 3Map securityd virtual memory with vmmap
Expected signal: macOS Unified Log: vmmap process creation with securityd PID. ESF process execution event. The vmmap output reveals memory layout but does not extract credentials directly.
References (6)
- https://attack.mitre.org/techniques/T1555/002/
- https://web.archive.org/web/20130106164109/https://juusosalonen.com/post/30923743427/breaking-into-the-os-x-keychain
- https://developer.apple.com/library/archive/documentation/Security/Conceptual/Security_Overview/Architecture/Architecture.html
- https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/
- https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.002/T1555.002.md
Unlock Pro Content
Get the full detection package for T1555.002 including response playbook, investigation guide, and atomic red team tests.