1. Home
  2. Techniques
  3. Enterprise
  4. Credentials from Password Stores
  5. Securityd Memory

Credentials from Password Stores: Securityd Memory

ID Name
T1555.001 Keychain
T1555.002 Securityd Memory
T1555.003 Credentials from Web Browsers
T1555.004 Windows Credential Manager
T1555.005 Password Managers
T1555.006 Cloud Secrets Management Stores

An adversary with root access may gather credentials by reading securityd’s memory. securityd is a service/daemon responsible for implementing security protocols such as encryption and authorization.[1] A privileged adversary may be able to scan through securityd's memory to find the correct sequence of keys to decrypt the user’s logon keychain. This may provide the adversary with various plaintext passwords, such as those for users, WiFi, mail, browsers, certificates, secure notes, etc.[2][3]

In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords.[2][4] Apple’s securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an adversary need only iterate over the other values to unlock the final password.[2]

ID: T1555.002
Sub-technique of:  T1555
Tactic: Credential Access
Platforms: Linux, macOS
Version: 1.2
Created: 12 February 2020
Last Modified: 15 October 2024
Version Permalink

Procedure Examples

ID Name Description
S0276 Keydnap

Keydnap uses the keychaindump project to read securityd memory.[5]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain.

Analytic 1 - Commands indicating attempts to read securityd’s memory.

index=security sourcetype IN ("linux_secure", "macos_secure") event_type="process"(CommandLine IN ("gcore", "dbxutil", "vmmap", "gdb", "lldb", "memdump", "strings", "cat /proc//maps", "grep /proc//maps") OR CommandLine IN ("security find-generic-password", "security find-internet-password", "security dump-keychain"))
DS0009 Process Process Access

Monitor for processes being accessed that may obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain.

Analytic 1 - Unauthorized process access indicating attempts to read securityd’s memory.

index=security sourcetype IN ("linux_secure", "macos_secure") event_type="process"(CommandLine IN ("gcore", "dbxutil", "vmmap", "gdb", "lldb", "memdump", "strings", "cat /proc//maps", "grep /proc//maps") OR (CommandLine IN ("securityd" AND CommandLine IN ("ps", "lsof", "pmap")))

References

  1. Apple. (n.d.). Security Server and Security Agent. Retrieved March 29, 2024.
  2. Juuso Salonen. (2012, September 5). Breaking into the OS X keychain. Retrieved July 15, 2017.
  3. Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017.
  1. Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to DA, the OS X Way. Retrieved September 12, 2024.
  2. Patrick Wardle. (2017, January 1). Mac Malware of 2016. Retrieved September 21, 2018.