Матрица MITRE ATT&CK

Technique on mitre.org

T1553.001: Gatekeeper Bypass

Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.

Based on an opt-in system, when files are downloaded an extended attribute (xattr) called com.apple.quarantine (also known as a quarantine flag) can be set on the file by the application performing the download. Launch Services opens the application in a suspended state. For first run applications with the quarantine flag set, Gatekeeper executes the following functions:

Checks extended attribute – Gatekeeper checks for the quarantine flag, then provides an alert prompt to the user to allow or deny execution.
Checks System Policies - Gatekeeper checks the system security policy, allowing execution of apps downloaded from either just the App Store or the App Store and identified developers.
Code Signing – Gatekeeper checks for a valid code signature from an Apple Developer ID.
Notarization - Using the api.apple-cloudkit.com API, Gatekeeper reaches out to Apple servers to verify or pull down the notarization ticket and ensure the ticket is not revoked. Users can override notarization, which will result in a prompt of executing an “unauthorized app” and the security policy will be modified.

Adversaries can subvert one or multiple security controls within Gatekeeper checks through logic errors (e.g. Exploitation for Defense Evasion), unchecked file types, and external libraries. For example, prior to macOS 13 Ventura, code signing and notarization checks were only conducted on first launch, allowing adversaries to write malicious executables to previously opened applications in order to bypass Gatekeeper security checks.

Applications and files loaded onto the system from a USB flash drive, optical disk, external hard drive, from a drive shared over the local network, or using the curl command may not set the quarantine flag. Additionally, it is possible to avoid setting the quarantine flag using Drive-by Compromise.

Positive Technologies products that cover the technique

Description of detection methods is not available yet

Detection

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor and investigate attempts to modify extended file attributes with utilities such as `xattr`. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor and investigate attempts to modify extended file attributes with utilities such as `xattr`. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.

ID	DS0022	Data source and component	File: File Metadata	Description	Review `false` values under the `LSFileQuarantineEnabled` entry in an application's `Info.plist` file (required by every application). `false` under `LSFileQuarantineEnabled` indicates that an application does not use the quarantine flag. Unsandboxed applications with an unspecified `LSFileQuarantineEnabled` entry will default to not setting the quarantine flag. QuarantineEvents is a SQLite database containing a list of all files assigned the `com.apple.quarantine` attribute, located at `~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2`. Each event contains the corresponding UUID, timestamp, application, Gatekeeper score, and decision if it was allowed.

ID	DS0022	Data source and component	File: File Modification	Description	The removal of the `com.apple.quarantine` flag by a user instead of the operating system is a suspicious action and should be examined further. Also monitor software update frameworks that may strip this flag when performing updates.

ID	Data source and component	Description
DS0009	Process: Process Creation	Monitor and investigate attempts to modify extended file attributes with utilities such as `xattr`. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.
DS0017	Command: Command Execution	Monitor and investigate attempts to modify extended file attributes with utilities such as `xattr`. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.
DS0022	File: File Metadata	Review `false` values under the `LSFileQuarantineEnabled` entry in an application's `Info.plist` file (required by every application). `false` under `LSFileQuarantineEnabled` indicates that an application does not use the quarantine flag. Unsandboxed applications with an unspecified `LSFileQuarantineEnabled` entry will default to not setting the quarantine flag. QuarantineEvents is a SQLite database containing a list of all files assigned the `com.apple.quarantine` attribute, located at `~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2`. Each event contains the corresponding UUID, timestamp, application, Gatekeeper score, and decision if it was allowed.
DS0022	File: File Modification	The removal of the `com.apple.quarantine` flag by a user instead of the operating system is a suspicious action and should be examined further. Also monitor software update frameworks that may strip this flag when performing updates.

Mitigation

ID	M1038	Name	Execution Prevention	Description	System settings can prevent applications from running that haven't been downloaded through the Apple Store which can help mitigate some of these issues.

ID	Name	Description
M1038	Execution Prevention	System settings can prevent applications from running that haven't been downloaded through the Apple Store which can help mitigate some of these issues.