Skip to content

T1553.001 Gatekeeper Bypass

Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.45

Based on an opt-in system, when files are downloaded an extended attribute (xattr) called com.apple.quarantine (also known as a quarantine flag) can be set on the file by the application performing the download. Launch Services opens the application in a suspended state. For first run applications with the quarantine flag set, Gatekeeper executes the following functions:

  1. Checks extended attribute – Gatekeeper checks for the quarantine flag, then provides an alert prompt to the user to allow or deny execution.36

  2. Checks System Policies - Gatekeeper checks the system security policy, allowing execution of apps downloaded from either just the App Store or the App Store and identified developers.

  3. Code Signing – Gatekeeper checks for a valid code signature from an Apple Developer ID.

  4. Notarization - Using the api.apple-cloudkit.com API, Gatekeeper reaches out to Apple servers to verify or pull down the notarization ticket and ensure the ticket is not revoked. Users can override notarization, which will result in a prompt of executing an “unauthorized app” and the security policy will be modified.

Adversaries can subvert one or multiple security controls within Gatekeeper checks through logic errors (e.g. Exploitation for Defense Evasion), unchecked file types, and external libraries. For example, prior to macOS 13 Ventura, code signing and notarization checks were only conducted on first launch, allowing adversaries to write malicious executables to previously opened applications in order to bypass Gatekeeper security checks.21

Applications and files loaded onto the system from a USB flash drive, optical disk, external hard drive, from a drive shared over the local network, or using the curl command may not set the quarantine flag. Additionally, it is possible to avoid setting the quarantine flag using Drive-by Compromise.

Item Value
ID T1553.001
Sub-techniques T1553.001, T1553.002, T1553.003, T1553.004, T1553.005, T1553.006
Tactics TA0005
Platforms macOS
Version 1.2
Created 05 February 2020
Last Modified 21 October 2022

Procedure Examples

ID Name Description
S0369 CoinTicker CoinTicker downloads the EggShell mach-o binary using curl, which does not set the quarantine flag.9
S1016 MacMa MacMa has removed the com.apple.quarantineattribute from the dropped file, $TMPDIR/airportpaird.8
S0402 OSX/Shlayer If running with elevated privileges, OSX/Shlayer has used the spctl command to disable Gatekeeper protection for a downloaded file. OSX/Shlayer can also leverage system links pointing to bash scripts in the downloaded DMG file to bypass Gatekeeper, a flaw patched in macOS 11.3 and later versions. OSX/Shlayer has been Notarized by Apple, resulting in successful passing of additional Gatekeeper checks.101112
S0352 OSX_OCEANLOTUS.D OSX_OCEANLOTUS.D uses the command xattr -d com.apple.quarantine to remove the quarantine file attribute used by Gatekeeper.76
S0658 XCSSET XCSSET has dropped a malicious applet into an app’s .../Contents/MacOS/ folder of a previously launched app to bypass Gatekeeper’s security checks on first launch apps (prior to macOS 13).1

Mitigations

ID Mitigation Description
M1038 Execution Prevention System settings can prevent applications from running that haven’t been downloaded through the Apple Store which can help mitigate some of these issues.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Metadata
DS0009 Process Process Creation

References

  1. Brandon Dalton. (2022, August 9). A bundle of nerves: Tweaking macOS security controls to thwart application bundle manipulation. Retrieved September 27, 2022. 

  2. Csaba Fitzl. (2021, June 29). GateKeeper - Not a Bypass (Again). Retrieved September 22, 2021. 

  3. Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017. 

  4. hoakley. (2020, October 29). Quarantine and the quarantine flag. Retrieved September 13, 2021. 

  5. How Notarization Works. (2020, August 28). How notarization works. Retrieved September 13, 2021. 

  6. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021. 

  7. Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020. 

  8. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022. 

  9. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019. 

  10. Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019. 

  11. Jaron Bradley. (2021, April 26). Shlayer malware abusing Gatekeeper bypass on macOS. Retrieved September 22, 2021. 

  12. Patrick Wardle. (2020, August 30). Apple Approved Malware malicious code …now notarized!? #2020. Retrieved September 13, 2021.