Security Rules Ready to Deploy
Production-ready CEL expressions and File Access Authorization rules for Workshop and Santa.
Block dscl Password Validation
Block infostealers from validating stolen passwords with dscl -authonly using a Workshop CEL rule that stops the credential check at the source.
Block DYLD Environment Variable Injection
Block DYLD_INSERT_LIBRARIES and other dyld environment variables to prevent code injection into third-party macOS applications.
Block Fake Password Prompts via osascript
Block osascript display dialogs that mimic system password prompts, stopping Atomic Stealer and Cthulhu Stealer from harvesting user credentials.
Block Legacy Unix Shells and Interpreters
Block csh, tcsh, and ksh execution to reduce attack surface, forcing attackers off rarely-monitored legacy shells onto auditable bash and zsh.
Block Old Browsers Based on Signing Time
Enforce minimum Chrome and Firefox versions using CEL secure signing time, keeping browsers patched against active exploits and CVEs.
Block Password Hash Dumping
Prevent dscl from dumping macOS user password hashes for offline cracking. Workshop combines file access and CEL rules to lock down shadow data.
Block Remote Access Enablement via systemsetup
Block systemsetup from enabling SSH or remote Apple Events while preserving other operations, stopping attackers from opening lateral movement channels.
Block Unauthorized VPN Software
Use Workshop Risk Engine to flag any software with VPN entitlements for admin review, blocking unauthorized tunnels that enable data exfiltration.
Detect Suspicious launchctl Load Patterns
Detect and block launchctl loading LaunchAgents from temp directories or with random plist names, stopping malware persistence on macOS.
Monitor Launch Item Creation
Audit all writes to LaunchAgent and LaunchDaemon directories to surface persistence attempts with complete process context for incident response.