The sub-techniques beta is now live! Read the release blog post for more info.

Securityd Memory

In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords. [1] [2] Apple’s securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an attacker need only iterate over the other values to unlock the final password. [1]

If an adversary can obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain. This provides the adversary with all the plaintext passwords for users, WiFi, mail, browsers, certificates, secure notes, etc. [1] [3]

ID: T1167
Tactic: Credential Access
Platform: macOS
Permissions Required: root
Data Sources: Process monitoring
Version: 1.0
Created: 14 December 2017
Last Modified: 31 October 2018

Procedure Examples

Name Description
Keydnap

Keydnap uses the keychaindump project to read securityd memory.[4]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

References