Esc
Securityd Memory - T1555.002
(ATT&CK® Technique)
Definition
An adversary with root access may gather credentials by reading securityd’s memory. securityd is a service/daemon responsible for implementing security protocols such as encryption and authorization. A privileged adversary may be able to scan through securityd's memory to find the correct sequence of keys to decrypt the user’s logon keychain. This may provide the adversary with various plaintext passwords, such as those for users, WiFi, mail, browsers, certificates, secure notes, etc.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1555002["Securityd Memory"] --> |accesses| In-memoryPasswordStore["In-memory Password Store"]; class T1555002 OffensiveTechniqueNode;
class In-memoryPasswordStore ArtifactNode; click In-memoryPasswordStore href "/dao/artifact/d3f:In-memoryPasswordStore";
click T1555002 href "/offensive-technique/attack/T1555.002/"; click In-memoryPasswordStore href "/dao/artifact/d3f:In-memoryPasswordStore"; T1555002["Securityd Memory"] --> |accesses| PasswordStore["Password Store"]; class T1555002 OffensiveTechniqueNode;
class PasswordStore ArtifactNode; click PasswordStore href "/dao/artifact/d3f:PasswordStore";
click T1555002 href "/offensive-technique/attack/T1555.002/"; click PasswordStore href "/dao/artifact/d3f:PasswordStore"; T1555002["Securityd Memory"] --> |may-access| DatabaseFile["Database File"]; class T1555002 OffensiveTechniqueNode;
class DatabaseFile ArtifactNode; click DatabaseFile href "/dao/artifact/d3f:DatabaseFile";
click T1555002 href "/offensive-technique/attack/T1555.002/"; click DatabaseFile href "/dao/artifact/d3f:DatabaseFile"; FileAnalysis["File Analysis"] -->
| analyzes | DatabaseFile["Database File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1555002["Securityd Memory"] ;
class FileAnalysis DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; ContentFiltering["Content Filtering"] -->
| filters | DatabaseFile["Database File"];
ContentFiltering["Content Filtering"] -.->
| may-isolate | T1555002["Securityd Memory"] ;
class ContentFiltering DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click ContentFiltering href "/technique/d3f:ContentFiltering"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | DatabaseFile["Database File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1555002["Securityd Memory"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RestoreDatabase["Restore Database"] -->
| restores | In-memoryPasswordStore["In-memory Password Store"];
RestoreDatabase["Restore Database"] -.->
| may-restore | T1555002["Securityd Memory"] ;
class RestoreDatabase DefensiveTechniqueNode;
class In-memoryPasswordStore ArtifactNode;
click RestoreDatabase href "/technique/d3f:RestoreDatabase"; RestoreDatabase["Restore Database"] -->
| restores | PasswordStore["Password Store"];
class RestoreDatabase DefensiveTechniqueNode;
class PasswordStore ArtifactNode;
click RestoreDatabase href "/technique/d3f:RestoreDatabase"; RestoreFile["Restore File"] -->
| restores | DatabaseFile["Database File"];
RestoreFile["Restore File"] -.->
| may-restore | T1555002["Securityd Memory"] ;
class RestoreFile DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; DecoyFile["Decoy File"] -->
| spoofs | DatabaseFile["Database File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1555002["Securityd Memory"] ;
class DecoyFile DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | DatabaseFile["Database File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1555002["Securityd Memory"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
| deletes | DatabaseFile["Database File"];
FileEviction["File Eviction"] -.->
| may-evict | T1555002["Securityd Memory"] ;
class FileEviction DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
| encrypts | DatabaseFile["Database File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1555002["Securityd Memory"] ;
class FileEncryption DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; ContentModification["Content Modification"] -->
| modifies | DatabaseFile["Database File"];
ContentModification["Content Modification"] -.->
| may-isolate | T1555002["Securityd Memory"] ;
class ContentModification DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click ContentModification href "/technique/d3f:ContentModification"; ContentQuarantine["Content Quarantine"] -->
| quarantines | DatabaseFile["Database File"];
ContentQuarantine["Content Quarantine"] -.->
| may-isolate | T1555002["Securityd Memory"] ;
class ContentQuarantine DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click ContentQuarantine href "/technique/d3f:ContentQuarantine"; LocalFilePermissions["Local File Permissions"] -->
| restricts | DatabaseFile["Database File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1555002["Securityd Memory"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";