ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩(清华大学网络研究院网络空间安全实习生)、戴亦仑(赛宁网安) 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices

原文: https://attack.mitre.org/techniques/T1144

术语表: /attack/glossary

Gatekeeper 绕过

在macOS和OS X中,从Internet下载应用程序或程序时,在名为的文件上设置了特殊属性com.apple.quarantine。苹果的Gatekeeper防御程序会在执行时读取此属性,并向用户提示允许或拒绝执行。

从USB闪存驱动器,光盘,外部硬盘驱动器甚至从本地网络共享的驱动器加载到系统上的应用程序都不会设置此标志。此外,其他实用程序或事件(例如“路过”下载)也不一定要对其进行设置。这完全绕过了内置的Gatekeeper检查。[1]的检疫标志的存在可以通过XATTR命令检查xattr /path/to/MyApp.appcom.apple.quarantine。类似地,给定sudo访问权限或提升的权限,也可以使用xattr删除此属性sudo xattr -r -d com.apple.quarantine /path/to/MyApp.app

在典型操作中,文件将从互联网上下载并被隔离,然后保存到磁盘。当用户尝试打开文件或应用程序时,macOS的网守将介入并检查此标志的存在。如果存在,则macOS会提示用户确认他们要运行该程序,甚至会提供应用程序来源的URL。但是,所有这些都基于从隔离应用程序下载的文件。

In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set on the file called com.apple.quarantine. This attribute is read by Apple's Gatekeeper defense program at execution time and provides a prompt to the user to allow or deny execution.

Apps loaded onto the system from USB flash drive, optical disk, external hard drive, or even from a drive shared over the local network won’t set this flag. Additionally, other utilities or events like drive-by downloads don’t necessarily set it either. This completely bypasses the built-in Gatekeeper check. The presence of the quarantine flag can be checked by the xattr command xattr /path/to/MyApp.app for com.apple.quarantine. Similarly, given sudo access or elevated permission, this attribute can be removed with xattr as well, sudo xattr -r -d com.apple.quarantine /path/to/MyApp.app.

In typical operation, a file will be downloaded from the internet and given a quarantine flag before being saved to disk. When the user tries to open the file or application, macOS’s gatekeeper will step in and check for the presence of this flag. If it exists, then macOS will then prompt the user to confirmation that they want to run the program and will even provide the URL where the application came from. However, this is all based on the file being downloaded from a quarantine-savvy application.

标签

ID编号: T1144

策略: 绕过防御

平台: macOS

所需权限: user,administrator

数据源: 文件监测,进程命令行参数

绕过防御: 应用程序白名单, 防病毒软件

程序示例

名称 描述
CoinTicker (S0369) CoinTicker 使用curl 来下载EggShell mach-o二进制文件,该文件不会设置隔离标志。
Name Description
CoinTicker (S0369) CoinTicker downloads the EggShell mach-o binary using curl, which does not set the quarantine flag.

缓解措施

缓解 描述
执行预防 ( M1038) 系统设置可以阻止未通过Apple Store下载的应用程序运行,这可以帮助缓解其中的一些问题。
Mitigation Description
Execution Prevention(M1038) System settings can prevent applications from running that haven't been downloaded through the Apple Store which can help mitigate some of these issues.

检测

com.apple.quarantine由用户(而不是操作系统)监视删除标志的行为是可疑的操作,应进一步检查。监视和调查使用实用程序(例如)修改扩展文件属性的尝试xattr。内置的系统实用程序可能会生成高误报警报,因此请与基准知识相比较,以了解系统的典型使用方式,并在可能的情况下将修改事件与其他恶意活动指示相关联

Monitoring for the removal of the com.apple.quarantine flag by a user instead of the operating system is a suspicious action and should be examined further. Monitor and investigate attempts to modify extended file attributes with utilities such as xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.