Potential Gatekeeper Bypass¶
In macOS, when applications or programs are downloaded from the internet, there is a special attribute set on the file. This attribute is read by Apple’s Gatekeeper defense program at execution time.
| id: | a4fe6af5-bc33-4e72-8241-eea885b95c46 |
|---|---|
| categories: | detect |
| confidence: | low |
| os: | macos |
| created: | 7/26/2019 |
| updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
| tactics: | Defense Evasion |
|---|---|
| techniques: | T1144 Gatekeeper Bypass |
Query¶
process where subtype.create and
process_name == "xattr" and
command_line == "*com.apple.quarantine*"
| unique command_line