T1555.002 Securityd Memory

An adversary with root access may gather credentials by reading securityd’s memory. securityd is a service/daemon responsible for implementing security protocols such as encryption and authorization.(Citation: Apple Dev SecurityD) A privileged adversary may be able to scan through securityd's memory to find the correct sequence of keys to decrypt the user’s logon keychain. This may provide the adversary with various plaintext passwords, such as those for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain)(Citation: OSX Keydnap malware)

In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords.(Citation: OS X Keychain)(Citation: External to DA, the OS X Way) Apple’s securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an adversary need only iterate over the other values to unlock the final password.(Citation: OS X Keychain)

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CA-07 Continuous Monitoring mitigates T1555.002 Securityd Memory
IA-05 Authenticator Management mitigates T1555.002 Securityd Memory
SI-04 System Monitoring mitigates T1555.002 Securityd Memory
AC-03 Access Enforcement mitigates T1555.002 Securityd Memory
AC-06 Least Privilege mitigates T1555.002 Securityd Memory

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1555.002 Securityd Memory
action.malware.variety.RAM scraper RAM scraper or memory parser (capture data from volatile memory) related-to T1555.002 Securityd Memory
attribute.confidentiality.data_disclosure None related-to T1555.002 Securityd Memory

Azure Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
alerts_for_linux_machines Alerts for Linux Machines technique_scores T1555.002 Securityd Memory
Comments
This control can detect command execution associated with this technique.
References