| ID | Name |
|---|---|
| T1553.001 | Gatekeeper Bypass |
| T1553.002 | Code Signing |
| T1553.003 | SIP and Trust Provider Hijacking |
| T1553.004 | Install Root Certificate |
| T1553.005 | Mark-of-the-Web Bypass |
| T1553.006 | Code Signing Policy Modification |
Adversaries may modify file attributes that signify programs are from untrusted sources to subvert Gatekeeper controls in macOS. When documents, applications, or programs are downloaded an extended attribute (xattr) called com.apple.quarantine can be set on the file by the application performing the download. This attribute, also known as a quarantine flag, is read by Apple's Gatekeeper defense program when the file is run and provides a prompt to the user to allow or deny execution. Gatekeeper also monitors an application's usage of dynamic libraries (dylibs) loaded outside the application folder on any quarantined binary, often using the dlopen function. If the quarantine flag is set in macOS 10.15+, Gatekeeper also checks for a notarization ticket and sends a cryptographic hash to Apple's servers to check for validity for all unsigned executables.[1][2]
The quarantine flag is an opt-in system and not imposed by macOS. If an application opts-in, a file downloaded from the Internet will be given a quarantine flag before being saved to disk. Any application or user with write permissions to the file can change or strip the quarantine flag. With elevated permission (sudo), this attribute can be removed from any file. The presence of the com.apple.quarantine quarantine flag can be checked with the xattr command xattr -l /path/to/examplefile. Similarly, this attribute can be recursively removed from all files in a folder using xattr, sudo xattr -d com.apple.quarantine /path/to/folder.[3][4][5]
Apps and files loaded onto the system from a USB flash drive, optical disk, external hard drive, from a drive shared over the local network, or using the curl command do not set this flag. Additionally, it is possible to avoid setting this flag using Drive-by Compromise, which may bypass Gatekeeper. [6][7][8]
| ID | Name | Description |
|---|---|---|
| S0369 | CoinTicker |
CoinTicker downloads the EggShell mach-o binary using curl, which does not set the quarantine flag.[9] |
| S0402 | OSX/Shlayer |
If running with elevated privileges, OSX/Shlayer uses the |
| S0352 | OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D uses the command |
| ID | Mitigation | Description |
|---|---|---|
| M1038 | Execution Prevention |
System settings can prevent applications from running that haven't been downloaded through the Apple Store which can help mitigate some of these issues. |
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Metadata |
| File Modification | ||
| DS0009 | Process | Process Creation |
The removal of the com.apple.quarantine flag by a user instead of the operating system is a suspicious action and should be examined further. Monitor and investigate attempts to modify extended file attributes with utilities such as xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. Monitor software update frameworks that strip the com.apple.quarantine flag when performing updates.
Review false values under the LSFileQuarantineEnabled entry in an application's Info.plist file (required by every application). false under LSFileQuarantineEnabled indicates that an application does not use the quarantine flag. Unsandboxed applications with an unspecified LSFileQuarantineEnabled entry will default to not setting the quarantine flag.
QuarantineEvents is a SQLite database containing a list of all files assigned the com.apple.quarantine attribute, located at ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2. Each event contains the corresponding UUID, timestamp, application, Gatekeeper score, and decision if it was allowed.[4]