Credentials from Password Stores: Securityd Memory

On MacOS, an adversary with root access can to read securityd’s memory and find the correct sequence of keys to decrypt the user’s logon keychain, enabling them to have access to all the information stored in the keychain, including keys and credentials in plaintext.[1] [2]

In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users since the Apple’s keychain implementation allows these credentials to be cached (for users not repeatedly be prompted for passwords). [1] [3] Apple’s securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an attacker need only iterate over the other values to unlock the final password.[1]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Monitor processes and command-line arguments for activity surrounded users searching for credentials or using automated tools to scan memory for passwords.

References

Attachments

ID
VT0021.002
Sub-techniques
Tactic
Credential Access
Platforms
Linux
macOS
Permissions Required
root
Data Sources
Process monitoring
Version
1.0

Created: 29 December 2020

Last Modified: 29 December 2020