--- title: "Block dscl Password Validation | Security Cookbook" description: "Block infostealers from validating stolen passwords with dscl -authonly using a Workshop CEL rule that stops the credential check at the source." doc_version: "1" last_updated: "2026-05-22" canonical: "https://northpole.security/cookbook/block-dscl-authonly" --- [Back](https://northpole.security/cookbook) ### Idea Earlier this year, Unit 42 detected a 101% rise in infostealer activity targeting Macs with malware families like AMOS, Atomic Stealer, Poseidon, Cthulhu Stealer, and Odyssey all relying on a common post-exploitation trick. The malware displays a fake system dialog via osascript, tricking the user into entering their password. But how does the attacker know it's the real password? They validate it using dscl with the -authonly flag. With Santa and Workshop, you can use a CEL rule that simply blocks the dscl command if it's using this flag. ### Solutions ExecutionBlock dscl -authonly Prevent password validation via dscl Signing ID platform:com.apple.dscl CEL Expression '-authonly' in args ? BLOCKLIST : ALLOWLIST Copy Custom Message Password validation via dscl is not allowed ### Mitre Attack Tactics [Credential Access](https://attack.mitre.org/tactics/TA0006/)[Discovery](https://attack.mitre.org/tactics/TA0007/) Techniques [T1087: Account Discovery](https://attack.mitre.org/techniques/T1087/)[T1110.001: Password Guessing](https://attack.mitre.org/techniques/T1110/001/) ### Tags dsclpassword-promptinfostealer ### Deployment Notes This rule may impact legitimate tools that use -authonly for password verification, such as some MDM solutions. Be sure to test it in your environment before deploying widely. ### False Positive Guidance Some legitimate tools may use dscl -authonly: - MDM solutions for password verification - Custom IT management scripts - Privilege escalation tools Use Workshop tags to exempt specific hosts if needed. ### Resources [Unit 42: macOS Stealers GrowingTake a look](https://unit42.paloaltonetworks.com/macos-stealers-growing/)[Huntress: AMOS StealerTake a look](https://www.huntress.com/blog/amos-stealer-chatgpt-grok-ai-trust)[CYFIRMA: Odyssey StealerTake a look](https://www.cyfirma.com/research/odyssey-stealer-the-rebrand-of-poseidon-stealer/) ### Related Rules [ Defense EvasionExecution #### Block Fake Password Prompts via osascript Block osascript display dialogs that mimic system password prompts, stopping Atomic Stealer and Cthulhu Stealer from harvesting user credentials. ](https://northpole.security/cookbook/block-fake-password-prompts)[ Credential ProtectionMultiple #### Block Password Hash Dumping Prevent dscl from dumping macOS user password hashes for offline cracking. Workshop combines file access and CEL rules to lock down shadow data. ](https://northpole.security/cookbook/block-password-hash-dumping) ## Sitemap - [Home](https://northpole.security/index.md) - [Workshop](https://northpole.security/workshop.md) - [Santa](https://northpole.security/santa.md) - [Features](https://northpole.security/features.md) - [Cookbook](https://northpole.security/cookbook.md) - [Docs](https://northpole.security/docs.md) - [Blog](https://northpole.security/blog.md) - [Glossary](https://northpole.security/glossary.md) - [About](https://northpole.security/about.md) - [Contact](https://northpole.security/contact.md)