---
title: "Block Password Hash Dumping | Security Cookbook"
description: "Prevent dscl from dumping macOS user password hashes for offline cracking. Workshop combines file access and CEL rules to lock down shadow data."
doc_version: "1"
last_updated: "2026-05-22"
canonical: "https://northpole.security/cookbook/block-password-hash-dumping"
---
[Back](https://northpole.security/cookbook)

### Idea

An attacker with root access can use dscl to read encrypted password hashes and salts from /var/db/dslocal/nodes/Default/users/. While not the actual password, an attacker could attempt to crack it. With Santa's file access rules, you can make sure nothing gets to these "crown jewel" files (even as root!) except for built-in macOS services. You can also use a CEL rule to prevent the dscl command from dumping the hash.

### Solutions

File AccessProtect Shadow Hash Files

Restrict access to user password hash files

Path Prefixes

-   •
    
    /var/db/dslocal/nodes/Default/users/
    

Options

Allow Read Access:false

Audit Only:false

Rule Type:PathsWithAllowedProcesses

Processes

-   •
    
    Signing ID:platform:com.apple.opendirectoryd
    
-   •
    
    Signing ID:platform:com.apple.dscl
    

Custom Message

Access to password hash files is restricted

ExecutionBlock dscl Hash Dumping

Prevent dscl from reading ShadowHashData

Identifier

platform:com.apple.dscl

Rule Type

SIGNINGID

Policy

CEL

CEL Expression

'-authonly' in args ||
('-read' in args && 'dsAttrTypeNative:ShadowHashData' in args)
  ? BLOCKLIST : ALLOWLIST

Copy

Custom Message

Reading password hashes is not allowed

### Mitre Attack

Tactics

[Credential Access](https://attack.mitre.org/tactics/TA0006/)

Techniques

[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003/)

### Tags

password-hashdsclcredentials

### Deployment Notes

Both rules can be deployed together for defense in depth. The FAA rule protects the files themselves, while the CEL rule prevents the dscl command from being used to read them.

### Resources

[Embrace The Red: Grabbing and Cracking macOS HashesTake a look](https://embracethered.com/blog/posts/2022/grabbing-and-cracking-macos-hashes/)

## Sitemap

- [Home](https://northpole.security/index.md)
- [Workshop](https://northpole.security/workshop.md)
- [Santa](https://northpole.security/santa.md)
- [Features](https://northpole.security/features.md)
- [Cookbook](https://northpole.security/cookbook.md)
- [Docs](https://northpole.security/docs.md)
- [Blog](https://northpole.security/blog.md)
- [Glossary](https://northpole.security/glossary.md)
- [About](https://northpole.security/about.md)
- [Contact](https://northpole.security/contact.md)