Credential Protection•File Access•Updated Dec 6, 2025

Protect Browser Cookies from Infostealers

Restrict Chrome and Firefox cookie databases to the browser itself, blocking infostealers like Atomic Stealer from hijacking sessions.

Idea

Browser cookies are a prime target for infostealers like Atomic Stealer (AMOS), Banshee Stealer, and Cthulhu Stealer. With 2FA becoming more prevalent, session cookies can bypass authentication entirely. This rule uses Santa's File Access Authorization to ensure only the browser itself can read its cookie database.

Solutions

File AccessChrome Cookie Protection

Restrict Chrome cookie database to Chrome processes only

Path Prefixes: •
Options: Allow Read Access:
Audit Only:
Rule Type:
Processes: •
Signing ID:
•
Signing ID:
•
Signing ID:
Custom Message

File AccessFirefox Cookie Protection

Restrict Firefox cookie database to Firefox processes only

Path Prefixes: •
Options: Allow Read Access:
Audit Only:
Rule Type:
Processes: •
Signing ID:
•
Signing ID:
•
Signing ID:
Custom Message

Mitre Attack

Tactics

Credential Access Collection

Techniques

T1539: Steal Web Session Cookie T1005: Data from Local System

Deployment Notes

This rule is safe to deploy widely as it only restricts cookie access to the browser itself. Browser extensions running in the browser process will still have access (by design).

If you use password managers or other tools that legitimately need to read browser cookies, add their signing IDs to the process list.

False Positive Guidance

Some legitimate tools may need cookie access:

Password managers importing browser credentials
Browser profile migration tools
Forensic analysis tools (add exceptions via Workshop tags)

Testing Instructions

Deploy the rule to a test host
Attempt to read Chrome cookies: sqlite3 ~/Library/Application\ Support/Google/Chrome/Default/Cookies "SELECT * FROM cookies LIMIT 1"
Verify Santa blocks the access
Open Chrome and verify normal operation
Check Workshop Events for the blocked attempt

Detection Methods

Santa FAA Event: Cookie Access Blocked Monitor for blocked attempts to access cookie databases Query: event_type=FileAccess AND decision=DENY AND (file_path LIKE '%/Cookies' OR file_path LIKE '%/cookies.sqlite')
Jamf Protect: Unauthorized Cookie Access https://github.com/jamf/jamfprotect/blob/main/custom_analytic_detections/browser_cookie_theft.json

Resources

Santa File Access Authorization DocumentationTake a look FAA Cookbook ExamplesTake a look Unit 42: macOS Stealers GrowingTake a look

Related Rules

Credential ProtectionMultiple

Protect Keychain Databases

Audit Keychain database access and block dscl from dumping password hashes, stopping infostealers like Atomic Stealer from harvesting macOS credentials.