T1555.002 Sumo Logic CSE · Sumo

Detect Securityd Memory in Sumo Logic CSE

An adversary with root access may gather credentials by reading securityd's memory. securityd is a macOS service/daemon responsible for implementing security protocols such as encryption and authorization. A privileged adversary may scan through securityd's memory to find the correct sequence of keys to decrypt the user's logon keychain, yielding various plaintext passwords including user accounts, WiFi, mail, browsers, certificates, and secure notes. In OS X prior to El Capitan, users with root access could read plaintext keychain passwords of logged-in users because Apple's keychain implementation cached these credentials in securityd memory.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1555 Credentials from Password Stores
Sub-technique
T1555.002 Securityd Memory
Canonical reference
https://attack.mitre.org/techniques/T1555/002/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=*mac* OR _sourceCategory=*osquery* OR _sourceCategory=*syslog* OR _sourceCategory=*endpoint*)
| where (
    toLowerCase(%process_name) in ("keychaindump", "chainbreaker", "keychain-dumper", "kcpassword")
    or toLowerCase(%cmdline) matches "(?s).*(keychaindump|chainbreaker|keychain-dumper|kcpassword).*"
    or (
      toLowerCase(%process_name) in ("vmmap", "lldb", "dtrace", "heap", "sample", "leaks", "gdb")
      and toLowerCase(%cmdline) matches "(?s).*securityd.*"
    )
    or (
      toLowerCase(%cmdline) matches "(?s).*task_for_pid.*"
      and toLowerCase(%cmdline) matches "(?s).*securityd.*"
    )
  )
| eval KeychainDumpTool = if (toLowerCase(%cmdline) matches "(?s).*(keychaindump|chainbreaker|keychain-dumper|kcpassword).*"
    or toLowerCase(%process_name) in ("keychaindump", "chainbreaker", "keychain-dumper", "kcpassword"), 1, 0)
| eval MemoryAccessTool = if (
    toLowerCase(%process_name) in ("vmmap", "lldb", "dtrace", "heap", "sample", "leaks", "gdb")
    and toLowerCase(%cmdline) matches "(?s).*securityd.*", 1, 0)
| eval TaskForPid = if (
    toLowerCase(%cmdline) matches "(?s).*task_for_pid.*"
    and toLowerCase(%cmdline) matches "(?s).*securityd.*", 1, 0)
| eval SuspicionScore = (KeychainDumpTool * 3) + (MemoryAccessTool * 2) + (TaskForPid * 2)
| where SuspicionScore > 0
| fields _messagetime, _sourceHost, %user, %process_name, %cmdline, KeychainDumpTool, MemoryAccessTool, TaskForPid, SuspicionScore
| sort by SuspicionScore desc, _messagetime desc
critical severity medium confidence

Sumo Logic query detecting macOS securityd memory access for credential theft (T1555.002). Targets macOS syslog, osquery, and endpoint source categories. Identifies known keychain dump tools by process name or command line, memory inspection utilities (vmmap, lldb, dtrace, heap, sample, leaks, gdb) when securityd appears in arguments, and task_for_pid calls targeting securityd. Weighted suspicion scoring prioritises dedicated keychain tools (score 3) over general memory inspection (score 2).

Data Sources

Sumo Logic CSEmacOS syslog forwardingosqueryCrowdStrike Falcon via Sumo LogicCarbon Black via Sumo Logic

Required Tables

_sourceCategory=*mac*_sourceCategory=*osquery*_sourceCategory=*syslog*_sourceCategory=*endpoint*

False Positives & Tuning

  • Security team members conducting sanctioned macOS forensic investigations using chainbreaker or keychain-dumper against seized or test endpoints under documented authorization
  • macOS software developers using lldb in debugging sessions where securityd appears in argument lists as part of inter-process debugging workflows on development machines
  • Endpoint management platforms (Jamf, Mosyle) that trigger heap or vmmap diagnostics against macOS system daemons including securityd as part of automated health-check or crash-collection pipelines
Download portable Sigma rule (.yml)

Other platforms for T1555.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Run keychaindump to extract credentials from securityd memory

    Expected signal: macOS Unified Log: process execution for keychaindump with root privileges. ESF process_exec and task_for_pid events. If SIP is enabled, the command will fail with a permission error — but the attempt is still logged.

  2. Test 2Attach debugger to securityd process

    Expected signal: macOS Unified Log: lldb process creation with securityd PID argument. ESF task_for_pid event from lldb to securityd. If SIP is enabled, lldb will be denied attachment.

  3. Test 3Map securityd virtual memory with vmmap

    Expected signal: macOS Unified Log: vmmap process creation with securityd PID. ESF process execution event. The vmmap output reveals memory layout but does not extract credentials directly.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1555.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1555Credentials from Password Stores

Related Sub-techniques

T1555.001KeychainT1555.003Credentials from Web BrowsersT1555.004Windows Credential ManagerT1555.005Password ManagersT1555.006Cloud Secrets Management Stores

Related Techniques

T1555Credentials from Password StoresT1555.001KeychainT1003OS Credential DumpingT1003.007Proc FilesystemT1068Exploitation for Privilege EscalationT1553.006Code Signing Policy Modification

Same Tactic: Credential Access

Popular Detections