- Home
- Techniques
- Enterprise
- Subvert Trust Controls
- Gatekeeper Bypass
Subvert Trust Controls: Gatekeeper Bypass
Other sub-techniques of Subvert Trust Controls (4)
ID | Name |
---|---|
T1553.001 | Gatekeeper Bypass |
T1553.002 | Code Signing |
T1553.003 | SIP and Trust Provider Hijacking |
T1553.004 | Install Root Certificate |
Adversaries may modify file attributes that signify programs are from untrusted sources to subvert Gatekeeper controls. In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set on the file called com.apple.quarantine
. This attribute is read by Apple's Gatekeeper defense program at execution time and provides a prompt to the user to allow or deny execution.
Apps loaded onto the system from USB flash drive, optical disk, external hard drive, or even from a drive shared over the local network won’t set this flag. Additionally, it is possible to avoid setting this flag using Drive-by Compromise. This completely bypasses the built-in Gatekeeper check. [1] The presence of the quarantine flag can be checked by the xattr command xattr /path/to/MyApp.app
for com.apple.quarantine
. Similarly, given sudo access or elevated permission, this attribute can be removed with xattr as well, sudo xattr -r -d com.apple.quarantine /path/to/MyApp.app
. [2] [3]
In typical operation, a file will be downloaded from the internet and given a quarantine flag before being saved to disk. When the user tries to open the file or application, macOS’s gatekeeper will step in and check for the presence of this flag. If it exists, then macOS will then prompt the user to confirmation that they want to run the program and will even provide the URL where the application came from. However, this is all based on the file being downloaded from a quarantine-savvy application. [4]
Procedure Examples
Name | Description |
---|---|
CoinTicker |
CoinTicker downloads the EggShell mach-o binary using curl, which does not set the quarantine flag.[5] |
Mitigations
Mitigation | Description |
---|---|
Execution Prevention |
System settings can prevent applications from running that haven't been downloaded through the Apple Store which can help mitigate some of these issues. |
Detection
Monitoring for the removal of the com.apple.quarantine
flag by a user instead of the operating system is a suspicious action and should be examined further. Monitor and investigate attempts to modify extended file attributes with utilities such as xattr
. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.
References
- Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.
- Rich Trouton. (2012, November 20). Clearing the quarantine extended attribute from downloaded applications. Retrieved July 5, 2017.
- Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017.