Potential Gatekeeper Bypass¶
In macOS, when applications or programs are downloaded from the internet, there is a special attribute set on the file. This attribute is read by Apple’s Gatekeeper defense program at execution time.
id: | a4fe6af5-bc33-4e72-8241-eea885b95c46 |
---|---|
categories: | detect |
confidence: | low |
os: | macos |
created: | 7/26/2019 |
updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
tactics: | Defense Evasion |
---|---|
techniques: | T1144 Gatekeeper Bypass |
Query¶
process where subtype.create and
process_name == "xattr" and
command_line == "*com.apple.quarantine*"
| unique command_line