--- title: "Protect Keychain Databases | Security Cookbook" description: "Audit Keychain database access and block dscl from dumping password hashes, stopping infostealers like Atomic Stealer from harvesting macOS credentials." doc_version: "1" last_updated: "2026-05-22" canonical: "https://northpole.security/cookbook/protect-keychain" --- [Back](https://northpole.security/cookbook) ### Idea macOS Keychain stores sensitive credentials including passwords, certificates, and encryption keys. Infostealers like Atomic Stealer bypass Keychain access controls by copying the database files to an unprotected location. This cookbook entry provides both monitoring (FAA audit) and blocking (CEL for dscl) approaches. ### Solutions File AccessMonitor Keychain Access Audit all access to Keychain database files Path Prefixes - • /Users/\*/Library/Keychains/ Options Allow Read Access:true Audit Only:true Rule Type:PathsWithAllowedProcesses Processes - • Signing ID:platform:com.apple.securityd - • Signing ID:platform:com.apple.mdworker\_shared - • Signing ID:platform:com.apple.backupd - • Signing ID:platform:com.apple.MigrationAssistant - • Signing ID:platform:com.apple.security.XPCKeychainSandboxCheck - • Signing ID:platform:com.apple.Safari Custom Message Keychain access detected ExecutionBlock Password Hash Dumping Prevent dscl from reading password hash data Signing ID platform:com.apple.dscl CEL Expression '-authonly' in args || ('-read' in args && 'dsAttrTypeNative:ShadowHashData' in args) ? BLOCKLIST : ALLOWLIST Copy Custom Message Reading password hashes is not allowed ### Mitre Attack Tactics [Credential Access](https://attack.mitre.org/tactics/TA0006/) Techniques [T1555.001: Keychain](https://attack.mitre.org/techniques/T1555/001/)[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003/) ### Tags keychainpasswordscredentialsdsclinfostealer ### Deployment Notes Deploy the FAA audit rule first to understand which processes legitimately access Keychain files in your environment. The dscl blocking rule is safe to deploy widely. ### Related Rules [ Discovery PreventionExecution #### Block dscl Password Validation Block infostealers from validating stolen passwords with dscl -authonly using a Workshop CEL rule that stops the credential check at the source. ](https://northpole.security/cookbook/block-dscl-authonly)[ Credential ProtectionFile Access #### Protect SSH Private Keys Lock SSH private keys to ssh, git, and signed system processes while keeping public keys and config readable, stopping infostealers from credential theft. ](https://northpole.security/cookbook/protect-ssh-keys)[ Credential ProtectionFile Access #### Protect Browser Cookies from Infostealers Restrict Chrome and Firefox cookie databases to the browser itself, blocking infostealers like Atomic Stealer from hijacking sessions. ](https://northpole.security/cookbook/protect-browser-cookies) ## Sitemap - [Home](https://northpole.security/index.md) - [Workshop](https://northpole.security/workshop.md) - [Santa](https://northpole.security/santa.md) - [Features](https://northpole.security/features.md) - [Cookbook](https://northpole.security/cookbook.md) - [Docs](https://northpole.security/docs.md) - [Blog](https://northpole.security/blog.md) - [Glossary](https://northpole.security/glossary.md) - [About](https://northpole.security/about.md) - [Contact](https://northpole.security/contact.md)