Protect Slack Cookies from Infostealers
Stop infostealers from harvesting Slack session cookies on macOS using Workshop file access rules that limit reads to Slack itself and Spotlight.
Idea
Slack is built with Electron (Chromium + Node.js), and like other Electron apps, stores session cookies in predictable locations. These cookies provide authenticated access to Slack workspaces, making them high-value targets for infostealers.
This rule prevents reads of Slack cookies except by Slack itself and the Spotlight indexing process. By restricting access to only the legitimate processes that need these files, you can prevent credential theft even if malware gets onto the system.
The utility of this protection was highlighted by SpecterOps in their talk "Modern macOS Red Teaming Tactics" where they demonstrated how Slack cookies can be exfiltrated and used to access corporate Slack workspaces.
Solutions
- Path Prefixes
- •
- •
- •
- •
- Options
- Allow Read Access:Audit Only:Rule Type:
- Processes
- •Signing ID:
- •Signing ID:
- •Signing ID:
- •
- Custom Message
Mitre Attack
Tags
Deployment Notes
This rule covers both the standard Slack app installation and the sandboxed Mac App Store version. It protects both active cookies (Cookies) and stale cookies (StaleCookies) that may still contain valid session tokens.
Slack cookies provide authenticated access to all Slack workspaces the user is signed into, making them extremely valuable for attackers.
This rule is similar to the Chrome cookie protection from Day 6 of the advent calendar, as Slack is built on the same Electron/Chromium technology.
False Positive Guidance
Only Slack and Spotlight should legitimately access these cookie files. If you have legitimate automation or monitoring tools that need to read Slack cookies, add their signing IDs to the allowlist.
Note that some backup software may need access - consider exempting backup processes if needed.