| ID | Name |
|---|---|
| ATAGS-T1113.001 | Cloud Secrets Management Stores |
| ATAGS-T1113.002 | Credentials from Web Browsers |
| ATAGS-T1113.003 | Keychain |
| ATAGS-T1113.004 | Password Managers |
| ATAGS-T1113.005 | Securityd Memory |
| ATAGS-T1113.006 | Windows Credential Manager |
Threat Actors with root access may gather credentials by reading securityd’s memory. securityd is a service/daemon responsible for implementing security protocols such as encryption and authorization. A privileged adversary may be able to scan through securityd's memory to find the correct sequence of keys to decrypt the user’s logon keychain. This may provide the adversary with various plaintext passwords, such as those for users, WiFi, mail, browsers, certificates, secure notes, etc.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.