Skip to content

T1555.002 Securityd Memory

An adversary may obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain. This provides the adversary with all the plaintext passwords for users, WiFi, mail, browsers, certificates, secure notes, etc.12

In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords.13 Apple’s securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an adversary need only iterate over the other values to unlock the final password.1

Item Value
ID T1555.002
Sub-techniques T1555.001, T1555.002, T1555.003, T1555.004, T1555.005
Tactics TA0006
Platforms Linux, macOS
Permissions required root
Version 1.1
Created 12 February 2020
Last Modified 08 March 2022

Procedure Examples

ID Name Description
S0276 Keydnap Keydnap uses the keychaindump project to read securityd memory.4

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0009 Process Process Access

References

Back to top