Credential dumping prevention techniques?

I ran across this post a few days ago: https://www.crowdstrike.com/blog/mac-attack-credential-theft-video-rsa-2019/

Yeah I ran across that article too, it was light on effective mitigation techniques (nothing about stopping a user from dslc'ing out a shadowhash), and of course is designed to sell Crowdstrike.

What is the higher goal here? I had my bout with Crowdstrike before for this exact scenario (I was trying to script auto login) and all CS seemed to do was to listen to stdin and check if I was doing anything with the ShadowHash, which was trivial to bypass by simply redirecting I/O.

Also, Apple has to most likely access that data for account and authentication purposes. Are you trying to prevent lateral hash exploits?

Credential dumping via hashes for lateral exploits is our red team's crusade of the week. We have solutions on Windows to prevent this, but on Mac I don't see anything that can possibly do that since Apple doesn't make any effort to mitigate it.

Do you have matching local accounts on your Mac fleet? This is pretty avoidable by not having a centralized management account or network/roaming/mobile accounts that can authenticate to the Mac. We use individual local accounts, thus bypassing this exact scenario by design.

Also, you would need local code execution to even do this

separate/tiered accounts for accessing server infrastructure, and, if a management account is necessary on macs, usage of a tool like macOSLAPS will reduce the effectiveness of credential dumping on macOS. afaik there's no real way to mitigate credential dumping alone on macOS. or if there is, i'd love to know.

Just use local accounts, only allow one local account per a Mac and use the FV2 keys for recovery. It completely stops lateral hash attacks