Protect Keychain Databases
Audit Keychain database access and block dscl from dumping password hashes, stopping infostealers like Atomic Stealer from harvesting macOS credentials.
Idea
macOS Keychain stores sensitive credentials including passwords, certificates, and encryption keys. Infostealers like Atomic Stealer bypass Keychain access controls by copying the database files to an unprotected location. This cookbook entry provides both monitoring (FAA audit) and blocking (CEL for dscl) approaches.
Solutions
- Path Prefixes
- •
- Options
- Allow Read Access:Audit Only:Rule Type:
- Processes
- •Signing ID:
- •Signing ID:
- •Signing ID:
- •Signing ID:
- •Signing ID:
- •Signing ID:
- •
- Custom Message
- Signing ID
- CEL Expression
- Custom Message
Mitre Attack
Tactics
Tags
Deployment Notes
Deploy the FAA audit rule first to understand which processes legitimately access Keychain files in your environment. The dscl blocking rule is safe to deploy widely.
Related Rules
Block dscl Password Validation
Block infostealers from validating stolen passwords with dscl -authonly using a Workshop CEL rule that stops the credential check at the source.
Protect SSH Private Keys
Lock SSH private keys to ssh, git, and signed system processes while keeping public keys and config readable, stopping infostealers from credential theft.
Protect Browser Cookies from Infostealers
Restrict Chrome and Firefox cookie databases to the browser itself, blocking infostealers like Atomic Stealer from hijacking sessions.