| ID | Name |
|---|---|
| T1555.001 | Keychain |
| T1555.002 | Securityd Memory |
| T1555.003 | Credentials from Web Browsers |
| T1555.004 | Windows Credential Manager |
| T1555.005 | Password Managers |
| T1555.006 | Cloud Secrets Management Stores |
An adversary with root access may gather credentials by reading securityd’s memory. securityd is a service/daemon responsible for implementing security protocols such as encryption and authorization.[1] A privileged adversary may be able to scan through securityd's memory to find the correct sequence of keys to decrypt the user’s logon keychain. This may provide the adversary with various plaintext passwords, such as those for users, WiFi, mail, browsers, certificates, secure notes, etc.[2][3]
In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords.[2][4] Apple’s securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an adversary need only iterate over the other values to unlock the final password.[2]
| ID | Name | Description |
|---|---|---|
| S0276 | Keydnap |
Keydnap uses the keychaindump project to read securityd memory.[5] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0057 | Detect Suspicious Access to securityd Memory for Credential Extraction | AN0156 |
Detects suspicious memory access attempts targeting the |
| AN0157 |
Detects adversaries attempting to attach debuggers or memory dump utilities to credential storage daemons analogous to macOS |