Block Password Hash Dumping
Prevent dscl from dumping macOS user password hashes for offline cracking. Workshop combines file access and CEL rules to lock down shadow data.
Idea
An attacker with root access can use dscl to read encrypted password hashes and salts from /var/db/dslocal/nodes/Default/users/. While not the actual password, an attacker could attempt to crack it. With Santa's file access rules, you can make sure nothing gets to these "crown jewel" files (even as root!) except for built-in macOS services. You can also use a CEL rule to prevent the dscl command from dumping the hash.
Solutions
- Path Prefixes
- •
- Options
- Allow Read Access:Audit Only:Rule Type:
- Processes
- •Signing ID:
- •Signing ID:
- •
- Custom Message
- Identifier
- Rule Type
- Policy
- CEL Expression
- Custom Message
Mitre Attack
Tactics
Techniques
Tags
Deployment Notes
Both rules can be deployed together for defense in depth. The FAA rule protects the files themselves, while the CEL rule prevents the dscl command from being used to read them.