Skip to content

DET0057 Detect Suspicious Access to securityd Memory for Credential Extraction

Item Value
ID DET0057
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1555.002 (Securityd Memory)

Analytics

macOS

AN0156

Detects suspicious memory access attempts targeting the securityd process. Observes tools invoking process memory read operations (e.g., ptrace, task_for_pid) against securityd. Correlates with anomalous parent process lineage, root privilege escalation, or repeated unauthorized attempts.

Log Sources
Data Component Name Channel
Process Access (DC0035) macos:unifiedlog ptrace or task_for_pid
Process Creation (DC0032) macos:unifiedlog execution of memory inspection tools (lldb, gdb, osqueryi)
Mutable Elements
Field Description
AllowedDebuggers List of authorized debugging tools permitted in dev/test environments
TimeWindow Correlation period between memory inspection and Keychain API access
PrivilegedUsers Expected set of admin accounts with legitimate debugging permissions

Linux

AN0157

Detects adversaries attempting to attach debuggers or memory dump utilities to credential storage daemons analogous to macOS securityd. Observes ptrace syscalls, /proc//mem access, or gcore dumps against sensitive processes. Correlates anomalies with privilege escalation or credential dumping attempts.

Log Sources
Data Component Name Channel
Process Access (DC0035) auditd:SYSCALL ptrace attach
File Access (DC0055) auditd:FILE /proc/*/mem read attempt
Command Execution (DC0064) auditd:EXECVE gcore, gdb, strings, hexdump execution
Mutable Elements
Field Description
MonitoredProcesses List of credential storage daemons (e.g., securityd, gnome-keyring, kwallet) monitored for memory access attempts
CorrelationDepth Defines how many chained events (process execution + syscall + file read) to correlate before raising an alert
PrivilegeContext Expected user/group context for processes allowed to access protected memory