--- title: "Restrict Dangerous Security Command Operations | Security Cookbook" description: "Block the security command from dumping Keychain contents or adding trusted certificates, stopping credential theft and MITM attack vectors." doc_version: "1" last_updated: "2026-05-22" canonical: "https://northpole.security/cookbook/restrict-security-command" --- [Back](https://northpole.security/cookbook) ### Idea macOS has a built-in security command which allows attackers to do lots of insecure things, such as dumping the Keychain contents or adding a trusted certificate for MITM attacks. Using examples from LOOBins, we can prevent all of these nasty actions using Workshop and Santa CEL rules. The security command is a powerful tool that can dump credentials, keys, certificates, and other sensitive information from the keychain. It can also be used to add trusted certificates, which could enable MITM attacks. While the command has legitimate uses, we can block the most dangerous operations with CEL rules. ### Solutions ExecutionBlock Keychain Dumping and Certificate Trust Prevent security command from dumping keychain or adding trusted certs Identifier platform:com.apple.security Rule Type SIGNINGID Policy CEL CEL Expression args.exists(a, a in \[ 'dump-keychain', 'dump-trust-settings', 'find-generic-password', 'find-internet-password', 'find-identity', 'add-trusted-cert', 'add-certificates', 'unlock-keychain', 'set-key-partition-list' \]) ? BLOCKLIST : ALLOWLIST Copy Custom Message This security command operation is not allowed ### Mitre Attack Tactics [Credential Access](https://attack.mitre.org/tactics/TA0006/)[Defense Impairment](https://attack.mitre.org/tactics/TA0112/) Techniques [T1555.001: Keychain](https://attack.mitre.org/techniques/T1555/001/)[T1553.004: Install Root Certificate](https://attack.mitre.org/techniques/T1553/004/) ### Tags keychaincredentialsloobinsmitm ### Deployment Notes This rule blocks the most dangerous security command operations: - dump-keychain: Dump entire keychain contents - dump-trust-settings: Dump certificate trust settings - add-trusted-cert: Add a trusted certificate (MITM risk) - find-generic-password: Find and display generic passwords - find-internet-password: Find and display internet passwords All other security command operations remain allowed. ### False Positive Guidance Developers and system administrators occasionally need to use these security command operations for legitimate purposes: - Debugging authentication issues - Managing certificates - Troubleshooting keychain problems Consider using Workshop tags to exempt specific users or create approval workflows. ### Resources [LOOBins - security commandTake a look](https://www.loobins.io/binaries/security/) ## Sitemap - [Home](https://northpole.security/index.md) - [Workshop](https://northpole.security/workshop.md) - [Santa](https://northpole.security/santa.md) - [Features](https://northpole.security/features.md) - [Cookbook](https://northpole.security/cookbook.md) - [Docs](https://northpole.security/docs.md) - [Blog](https://northpole.security/blog.md) - [Glossary](https://northpole.security/glossary.md) - [About](https://northpole.security/about.md) - [Contact](https://northpole.security/contact.md)