title: Securityd Memory (T1555.002)
id: df00tech-t1555-002
status: experimental
description: "An adversary with root access may gather credentials by reading securityd's memory. securityd is a macOS service/daemon responsible for implementing security protocols such as encryption and authorization. A privileged adversary may scan through securityd's memory to find the correct sequence of keys to decrypt the user's logon keychain, yielding various plaintext passwords including user accounts, WiFi, mail, browsers, certificates, and secure notes. In OS X prior to El Capitan, users with root access could read plaintext keychain passwords of logged-in users because Apple's keychain implementation cached these credentials in securityd memory."
references:
  - https://attack.mitre.org/techniques/T1555/002/
  - https://df00tech.com/detections/T1555.002
author: df00tech
date: 2026/04/13
tags:
  - attack.t1555.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Apple engineers or macOS kernel developers debugging securityd during development
  - Security researchers analyzing securityd behavior in controlled lab environments
  - macOS diagnostic tools automatically sampling securityd during crash reporting
level: critical