Detects suspicious memory access attempts targeting the securityd process. Observes tools invoking process memory read operations (e.g., ptrace, task_for_pid) against securityd. Correlates with anomalous parent process lineage, root privilege escalation, or repeated unauthorized attempts.
| Data Component | Name | Channel |
|---|---|---|
| Process Access (DC0035) | macos:unifiedlog | ptrace or task_for_pid |
| Process Creation (DC0032) | macos:unifiedlog | execution of memory inspection tools (lldb, gdb, osqueryi) |
| Field | Description |
|---|---|
| AllowedDebuggers | List of authorized debugging tools permitted in dev/test environments |
| TimeWindow | Correlation period between memory inspection and Keychain API access |
| PrivilegedUsers | Expected set of admin accounts with legitimate debugging permissions |
Detects adversaries attempting to attach debuggers or memory dump utilities to credential storage daemons analogous to macOS securityd. Observes ptrace syscalls, /proc/
| Data Component | Name | Channel |
|---|---|---|
| Process Access (DC0035) | auditd:SYSCALL | ptrace attach |
| File Access (DC0055) | auditd:FILE | /proc/*/mem read attempt |
| Command Execution (DC0064) | auditd:EXECVE | gcore, gdb, strings, hexdump execution |
| Field | Description |
|---|---|
| MonitoredProcesses | List of credential storage daemons (e.g., securityd, gnome-keyring, kwallet) monitored for memory access attempts |
| CorrelationDepth | Defines how many chained events (process execution + syscall + file read) to correlate before raising an alert |
| PrivilegeContext | Expected user/group context for processes allowed to access protected memory |