--- title: "Protect Browser Cookies from Infostealers | Security Cookbook" description: "Restrict Chrome and Firefox cookie databases to the browser itself, blocking infostealers like Atomic Stealer from hijacking sessions." doc_version: "1" last_updated: "2026-05-22" canonical: "https://northpole.security/cookbook/protect-browser-cookies" --- [Back](https://northpole.security/cookbook) ### Idea Browser cookies are a prime target for infostealers like Atomic Stealer (AMOS), Banshee Stealer, and Cthulhu Stealer. With 2FA becoming more prevalent, session cookies can bypass authentication entirely. This rule uses Santa's File Access Authorization to ensure only the browser itself can read its cookie database. ### Solutions File AccessChrome Cookie Protection Restrict Chrome cookie database to Chrome processes only Path Prefixes - • /Users/\*/Library/Application Support/Google/Chrome/\*/Cookies Options Allow Read Access:false Audit Only:false Rule Type:PathsWithAllowedProcesses Processes - • Signing ID:EQHXZ8M8AV:com.google.Chrome\* - • Signing ID:platform:com.apple.mdworker\_shared - • Signing ID:platform:com.apple.mds Custom Message Access to Chrome cookies is restricted File AccessFirefox Cookie Protection Restrict Firefox cookie database to Firefox processes only Path Prefixes - • /Users/\*/Library/Application Support/Firefox/Profiles/\*/cookies.sqlite Options Allow Read Access:false Audit Only:false Rule Type:PathsWithAllowedProcesses Processes - • Signing ID:43AQ936H96:org.mozilla.firefox\* - • Signing ID:platform:com.apple.mdworker\_shared - • Signing ID:platform:com.apple.mds Custom Message Access to Firefox cookies is restricted ### Mitre Attack Tactics [Credential Access](https://attack.mitre.org/tactics/TA0006/)[Collection](https://attack.mitre.org/tactics/TA0009/) Techniques [T1539: Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539/)[T1005: Data from Local System](https://attack.mitre.org/techniques/T1005/) ### Tags cookiesbrowserinfostealerchromefirefoxsession-hijacking ### Deployment Notes This rule is safe to deploy widely as it only restricts cookie access to the browser itself. Browser extensions running in the browser process will still have access (by design). If you use password managers or other tools that legitimately need to read browser cookies, add their signing IDs to the process list. ### False Positive Guidance Some legitimate tools may need cookie access: - Password managers importing browser credentials - Browser profile migration tools - Forensic analysis tools (add exceptions via Workshop tags) ### Testing Instructions 1. Deploy the rule to a test host 2. Attempt to read Chrome cookies: `sqlite3 ~/Library/Application\ Support/Google/Chrome/Default/Cookies "SELECT * FROM cookies LIMIT 1"` 3. Verify Santa blocks the access 4. Open Chrome and verify normal operation 5. Check Workshop Events for the blocked attempt ### Detection Methods - **Santa FAA Event: Cookie Access Blocked** Monitor for blocked attempts to access cookie databases Query: `event_type=FileAccess AND decision=DENY AND (file_path LIKE '%/Cookies' OR file_path LIKE '%/cookies.sqlite')` - **Jamf Protect: Unauthorized Cookie Access** [https://github.com/jamf/jamfprotect/blob/main/custom\_analytic\_detections/browser\_cookie\_theft.json](https://github.com/jamf/jamfprotect/blob/main/custom_analytic_detections/browser_cookie_theft.json) ### Resources [Santa File Access Authorization DocumentationTake a look](https://northpole.dev/configuration/faa/)[FAA Cookbook ExamplesTake a look](https://northpole.dev/cookbook/faa/#chrome-browser-cookies)[Unit 42: macOS Stealers GrowingTake a look](https://unit42.paloaltonetworks.com/macos-stealers-growing/) ### Related Rules [ Credential ProtectionMultiple #### Protect Keychain Databases Audit Keychain database access and block dscl from dumping password hashes, stopping infostealers like Atomic Stealer from harvesting macOS credentials. ](https://northpole.security/cookbook/protect-keychain) ## Sitemap - [Home](https://northpole.security/index.md) - [Workshop](https://northpole.security/workshop.md) - [Santa](https://northpole.security/santa.md) - [Features](https://northpole.security/features.md) - [Cookbook](https://northpole.security/cookbook.md) - [Docs](https://northpole.security/docs.md) - [Blog](https://northpole.security/blog.md) - [Glossary](https://northpole.security/glossary.md) - [About](https://northpole.security/about.md) - [Contact](https://northpole.security/contact.md)