Block dscl Password Validation
Block infostealers from validating stolen passwords with dscl -authonly using a Workshop CEL rule that stops the credential check at the source.
Idea
Earlier this year, Unit 42 detected a 101% rise in infostealer activity targeting Macs with malware families like AMOS, Atomic Stealer, Poseidon, Cthulhu Stealer, and Odyssey all relying on a common post-exploitation trick. The malware displays a fake system dialog via osascript, tricking the user into entering their password. But how does the attacker know it's the real password? They validate it using dscl with the -authonly flag. With Santa and Workshop, you can use a CEL rule that simply blocks the dscl command if it's using this flag.
Solutions
- Signing ID
- CEL Expression
- Custom Message
Mitre Attack
Tags
Deployment Notes
This rule may impact legitimate tools that use -authonly for password verification, such as some MDM solutions. Be sure to test it in your environment before deploying widely.
False Positive Guidance
Some legitimate tools may use dscl -authonly:
- MDM solutions for password verification
- Custom IT management scripts
- Privilege escalation tools
Use Workshop tags to exempt specific hosts if needed.
Resources
Related Rules
Block Fake Password Prompts via osascript
Block osascript display dialogs that mimic system password prompts, stopping Atomic Stealer and Cthulhu Stealer from harvesting user credentials.
Block Password Hash Dumping
Prevent dscl from dumping macOS user password hashes for offline cracking. Workshop combines file access and CEL rules to lock down shadow data.