Description
An adversary with root access may gather credentials by reading securityd’s memory. securityd is a service/daemon responsible for implementing security protocols such as encryption and authorization.(Citation: Apple Dev SecurityD) A privileged adversary may be able to scan through securityd's memory to find the correct sequence of keys to decrypt the user’s logon keychain. This may provide the adversary with various plaintext passwords, such as those for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain)(Citation: OSX Keydnap malware)
In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords.(Citation: OS X Keychain)(Citation: External to DA, the OS X Way) Apple’s securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an adversary need only iterate over the other values to unlock the final password.(Citation: OS X Keychain)
Platforms
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S0276 | Keydnap | Malware | [Keydnap](https://attack.mitre.org/software/S0276) uses the keychaindump project to read securityd memory.(Citation: synack 2016 review) |
References
- Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to DA, the OS X Way. Retrieved September 12, 2024.
- Apple. (n.d.). Security Server and Security Agent. Retrieved March 29, 2024.
- Juuso Salonen. (2012, September 5). Breaking into the OS X keychain. Retrieved November 17, 2024.
- Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017.
Frequently Asked Questions
What is T1555.002 (Securityd Memory)?
T1555.002 is a MITRE ATT&CK technique named 'Securityd Memory'. It belongs to the Credential Access tactic(s). An adversary with root access may gather credentials by reading `securityd`’s memory. `securityd` is a service/daemon responsible for implementing security protocols such as encryption and authorizati...
How can T1555.002 be detected?
Detection of T1555.002 (Securityd Memory) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1555.002?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1555.002?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.