Subvert Trust Controls: Gatekeeper Bypass

Adversaries may modify file attributes that signify programs are from untrusted sources to subvert Gatekeeper controls in macOS. When documents, applications, or programs are downloaded an extended attribute (xattr) called com.apple.quarantine can be set on the file by the application performing the download. This attribute, also known as a quarantine flag, is read by Apple's Gatekeeper defense program when the file is run and provides a prompt to the user to allow or deny execution. Gatekeeper also monitors an application's usage of dynamic libraries (dylibs) loaded outside the application folder on any quarantined binary, often using the dlopen function. If the quarantine flag is set in macOS 10.15+, Gatekeeper also checks for a notarization ticket and sends a cryptographic hash to Apple's servers to check for validity for all unsigned executables.[1][2]

The quarantine flag is an opt-in system and not imposed by macOS. If an application opts-in, a file downloaded from the Internet will be given a quarantine flag before being saved to disk. Any application or user with write permissions to the file can change or strip the quarantine flag. With elevated permission (sudo), this attribute can be removed from any file. The presence of the com.apple.quarantine quarantine flag can be checked with the xattr command xattr -l /path/to/examplefile. Similarly, this attribute can be recursively removed from all files in a folder using xattr, sudo xattr -d com.apple.quarantine /path/to/folder.[3][4][5]

Apps and files loaded onto the system from a USB flash drive, optical disk, external hard drive, from a drive shared over the local network, or using the curl command do not set this flag. Additionally, it is possible to avoid setting this flag using Drive-by Compromise, which may bypass Gatekeeper. [6][7][8]

ID: T1553.001
Sub-technique of:  T1553
Tactic: Defense Evasion
Platforms: macOS
Permissions Required: Administrator, User
Defense Bypassed: Anti-virus, Application control
Version: 1.1
Created: 05 February 2020
Last Modified: 14 October 2021

Procedure Examples

ID Name Description
S0369 CoinTicker

CoinTicker downloads the EggShell mach-o binary using curl, which does not set the quarantine flag.[9]

S0402 OSX/Shlayer

If running with elevated privileges, OSX/Shlayer uses the spctl command to disable Gatekeeper protection for a downloaded file. OSX/Shlayer also leveraged system links pointing to bash scripts in the downloaded DMG file to bypass Gatekeeper, a flaw patched in macOS 11.3 and later versions.[10][11]

S0352 OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D uses the command xattr -d com.apple.quarantine to remove the quarantine file attribute used by Gatekeeper and Notarization checks.[12][3]

Mitigations

ID Mitigation Description
M1038 Execution Prevention

System settings can prevent applications from running that haven't been downloaded through the Apple Store which can help mitigate some of these issues.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Metadata
File Modification
DS0009 Process Process Creation

The removal of the com.apple.quarantine flag by a user instead of the operating system is a suspicious action and should be examined further. Monitor and investigate attempts to modify extended file attributes with utilities such as xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. Monitor software update frameworks that strip the com.apple.quarantine flag when performing updates.

Review false values under the LSFileQuarantineEnabled entry in an application's Info.plist file (required by every application). false under LSFileQuarantineEnabled indicates that an application does not use the quarantine flag. Unsandboxed applications with an unspecified LSFileQuarantineEnabled entry will default to not setting the quarantine flag.

QuarantineEvents is a SQLite database containing a list of all files assigned the com.apple.quarantine attribute, located at ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2. Each event contains the corresponding UUID, timestamp, application, Gatekeeper score, and decision if it was allowed.[4]

References