Esc

Securityd Memory - T1555.002

(ATT&CK® Technique)

Definition

An adversary with root access may gather credentials by reading securityd’s memory. securityd is a service/daemon responsible for implementing security protocols such as encryption and authorization. A privileged adversary may be able to scan through securityd's memory to find the correct sequence of keys to decrypt the user’s logon keychain. This may provide the adversary with various plaintext passwords, such as those for users, WiFi, mail, browsers, certificates, secure notes, etc.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1555002["Securityd Memory"] --> |accesses| In-memoryPasswordStore["In-memory Password Store"]; class T1555002 OffensiveTechniqueNode;
        class In-memoryPasswordStore ArtifactNode; click In-memoryPasswordStore href "/dao/artifact/d3f:In-memoryPasswordStore";
        click T1555002 href "/offensive-technique/attack/T1555.002/"; click In-memoryPasswordStore href "/dao/artifact/d3f:In-memoryPasswordStore";     T1555002["Securityd Memory"] --> |may-access| DatabaseFile["Database File"]; class T1555002 OffensiveTechniqueNode;
        class DatabaseFile ArtifactNode; click DatabaseFile href "/dao/artifact/d3f:DatabaseFile";
        click T1555002 href "/offensive-technique/attack/T1555.002/"; click DatabaseFile href "/dao/artifact/d3f:DatabaseFile"; T1555002["Securityd Memory"] --> |accesses| PasswordStore["Password Store"]; class T1555002 OffensiveTechniqueNode;
        class PasswordStore ArtifactNode; click PasswordStore href "/dao/artifact/d3f:PasswordStore";
        click T1555002 href "/offensive-technique/attack/T1555.002/"; click PasswordStore href "/dao/artifact/d3f:PasswordStore";                FileAnalysis["File Analysis"] -->
          | analyzes | DatabaseFile["Database File"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1555002["Securityd Memory"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class DatabaseFile ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
          | isolates | DatabaseFile["Database File"];

          RemoteFileAccessMediation["Remote File Access Mediation"] -.->
            | may-isolate | T1555002["Securityd Memory"] ;
          class RemoteFileAccessMediation DefensiveTechniqueNode;
          class DatabaseFile ArtifactNode;
          click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";         DecoyFile["Decoy File"] -->
          | spoofs | DatabaseFile["Database File"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1555002["Securityd Memory"] ;
          class DecoyFile DefensiveTechniqueNode;
          class DatabaseFile ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | DatabaseFile["Database File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1555002["Securityd Memory"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class DatabaseFile ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
          | deletes | DatabaseFile["Database File"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1555002["Securityd Memory"] ;
          class FileEviction DefensiveTechniqueNode;
          class DatabaseFile ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
          | encrypts | DatabaseFile["Database File"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1555002["Securityd Memory"] ;
          class FileEncryption DefensiveTechniqueNode;
          class DatabaseFile ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] -->
          | restricts | DatabaseFile["Database File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-isolate | T1555002["Securityd Memory"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class DatabaseFile ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; RestoreDatabase["Restore Database"] -->
          | restores | In-memoryPasswordStore["In-memory Password Store"];

          RestoreDatabase["Restore Database"] -.->
            | may-restore | T1555002["Securityd Memory"] ;
          class RestoreDatabase DefensiveTechniqueNode;
          class In-memoryPasswordStore ArtifactNode;
          click RestoreDatabase href "/technique/d3f:RestoreDatabase";      RestoreFile["Restore File"] -->
          | restores | DatabaseFile["Database File"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1555002["Securityd Memory"] ;
          class RestoreFile DefensiveTechniqueNode;
          class DatabaseFile ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile"; RestoreDatabase["Restore Database"] -->
          | restores | PasswordStore["Password Store"];

          
          class RestoreDatabase DefensiveTechniqueNode;
          class PasswordStore ArtifactNode;
          click RestoreDatabase href "/technique/d3f:RestoreDatabase";

json