T1553.001
Gatekeeper Bypass
Adversaries are finding new methods of subverting two of macOS’s key security checks: Gatekeeper and File Quarantine.
Pairs with this song Threat sounds
Gatekeeper, Mac users wait for your nod. Adversaries have found ways to circumvent the additional security checks performed by Apple’s Gatekeeper feature.
Analysis
Note: For additional information on the architecture of Gatekeeper, how it works, and conceptual descriptions of how adversaries bypass it, refer to our previous research: Gatekeeping in macOS: Keeping adversaries off our Apples.
Why do adversaries want to bypass Gatekeeper?
Adversaries attempt to bypass Apple’s Gatekeeper security checks in order to gain execution on a host. Since Gatekeeper’s introduction, the security control has hampered adversaries’ ability to execute untrusted code (i.e., code that does not conform to the system’s security policy). Adversaries may also circumvent the older File Quarantine feature and some of the high-level security checks that Gatekeeper performs, but the objective remains the same: to execute untrusted code.
How do adversaries bypass Gatekeeper?
Since Gatekeeper relies on a separate feature called File Quarantine to identify the files that it will inspect, it makes sense to start this section with a brief explanation of File Quarantine and an examination of the ways that adversaries can circumvent it.
What is File Quarantine?
Our previous research includes a thorough examination of File Quarantine that we encourage you to read. In brief, it’s generally an opt-in security feature for applications like browsers, work management tools, and torrenting clients that applies a quarantine extended attribute to files downloaded by users of those applications. This file quarantine attribute signals Gatekeeper to inspect files marked with it. File Quarantine is essentially a macOS version of Mark-of-the-Web for Windows systems.
How do adversaries get around it?
Non-LSFileQuarantineEnabled apps and/or binaries like /usr/bin/curl and /usr/bin/wget are two examples of binaries that do not append the quarantine extended attribute to downloaded files. WindTail, “VPN Trojan” (Covid), oRAT, and ChromeLoader, just to name a few, have all been known to abuse wget or curl to sidestep File Quarantine.
An adversary could also target users of non-quarantine-aware applications to download content without the quarantine attribute and circumvent File Quarantine and Gatekeeper in the process. While possible, this is also complicated as the adversary would need to identify a non-quarantine-aware application being used by a victim and then socially engineer the victim into downloading a malicious file with that application. By contrast, utilities like wget and curl offer adversaries a seemingly normal and widely available mechanism for downloading files from the internet without the quarantine attribute.
What are some of Gatekeeper’s security checks?
The name of the game here is to trick macOS into launching an executable without first passing a full Gatekeeper check. Before we document existing methods of bypassing Gatekeeper, we should revisit some of the properties that Gatekeeper checks include:
System Policy
- Gatekeeper arm status
- Gatekeeper security policy (Mac App Store, identified developers, etc)
- Gatekeeper exceptions list (GKE)
- Tamper exclusions list
- Ability to execute, open with launch services, or install
File type
- App bundle
- Library
- UDIF disk image
- Script
Static properties
- Bundle identifier and version (if applicable)
- File size
- Responsible file ID
- Quarantine status
- File system type
- Mount point and path
Code-signing properties
cdhash(Code Directory hash)- Main executable hash
- Team ID
- Signing ID
- Gatekeeper attempts to validate the code signature in a similar way to:
codesign --verify --deep --strict --verbose=2 <code-path>
Notarization (stapled and remote tickets)
- Legacy checking
XProtect scan result
Defenders can also inspect many of the database tables the Gatekeeper creates and updates via syspolicyd.
Documented Gatekeeper bypass methods
Gatekeeper is a large security control on macOS with responsibilities ranging from initiating XProtect scans, static analysis, code-signing/notarization validation, and now application bundle anti-tamper. There’s no surefire way to bypass Gatekeeper, and most methods involve use of an exploit or two. However, researchers have uncovered exploits with overlapping tradecraft:
Clever archives
- CVE-2022-42821, disclosed by Jonathan Bar Or: AppleDouble file format and restrictive Access Control Lists (ACL) represented in an extended attribute. This ACL disallowed the system from applying the quarantine extended attribute.
- CVE-2022-32910, disclosed by Ferdous Saljooki: Cleverly crafted ZIP archive that revealed a bug in the propagation of the quarantine extended attribute.
- CVE-2022-22616, disclosed by Ferdous Saljooki, Mickey Jin, and Jaron Bradley: Cleverly crafted ZIP archive that fundamentally revealed a bug in parsing BoM (Bill of Materials) files.
- CVE-2021-30658, disclosed by Wojciech Reguła: Enterprise cert-signed iOS app
.ipa. - CVE-2021-1810, disclosed by Rasmus Sten: Directory/file path length.
Symlinks
- CVE-2021-30990, disclosed by Ron Masas: Generated an applet symlinking the Mach-O binary at
../Contents/MacOS/to a local copy on the system.
Clever app bundles
- CVE-2021-30657 [CISA Known Exploited Vulnerability], disclosed by Cedric Owens: Script in-place of Mach-O executable at
../Contents/MacOS/ - CVE-2021-3085, disclosed by: Gordon Long: Script-based app bundle (no interpreter specified)
Open Scripting Architecture (OSA)
- CVE-2021-30975, disclosed by Ryan Pickren: Cleverly crafted
.sdef(scripting definitions) file that contains HTML/JavaScript - CVE-2021-30669: AppleScript – no further information provided
WebKit
- CVE-2021-30861, disclosed by Wojciech Reguła and Ryan Pickren: Safari can be tricked into opening a quarantined file.
Miscellaneous impacted components:
- CoreTypes (CVE-2022-22663)
- Launch Services (CVE-2021-30976)
- Archive Utility (CVE-2021-30950, CVE-2021-1810)
Take Action
You can help mitigate Gatekeeper bypasses by doing the following:
- Regularly apply macOS and browser updates.
- macOS 13 Ventura now includes a feature known as RSS (Rapid Security Response), which will automatically download and install security updates in the background. This can additionally be enabled through MDM.
- Ensure macOS’s security controls reflect the user’s use case. For example, System Integrity Protection (SIP) should not be disabled for the vast majority of users. Keeping SIP enabled ensures that adversaries cannot modify key system resources (without a bypass).
- Limit and monitor your potential attack surface. Which apps do you regularly download files from on a Mac? Are they File Quarantine-aware? Remember, File Quarantine is largely opt-in.
- Monitor endpoints for simple heuristics like the above.
Visibility
Note: The visibility sections in this report are mapped to MITRE ATT&CK data sources and components.
Although there is no completely reliable way to engineer a detection analytic for bypassing Gatekeeper—in part due to the sheer size of the security control—there are clever combinations of endpoint security events and additional enrichment we can monitor for high-fidelity detection. For one, Gatekeeper also makes liberal use of the Unified Audit Log. Additionally, many of the analytics we’ll describe here focus on process and file monitoring—data sources described by MITRE here. Leverage native macOS tools to record process and file level system events as they occur.
Process monitoring
File Quarantine-aware applications should not be making unquarantined file downloads. Additional noise may be seen in /private/var/folders. You can determine if an application is file quarantine aware by checking its Info.plist/the exceptions list at: /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/Exceptions.plist, which forces applications into quarantine.
File monitoring
While a file’s extended attributes (or the existence of the quarantine attribute) are not directly reported by Endpoint Security (for file creation, rename, etc), it’s possible to directly check over API using getxattr or using the URL resource key quarantinePropertiesKey from the Foundation framework. File creation operations will be helpful for checking if a File Quarantine-aware app makes an unquarantined file download. However, these will not be as helpful when dealing with archives. File rename operations, resulting from inflating an archive using Archive Utility.
- A file rename operation will occur. The source path will be similar to:
/private/var/folders/…/…/T/com.apple.desktopservices.ArchiveService/TemporaryItems/…/ - The destination path will heuristically be defined as the user’s home folder
~/ - If the file at the destination path is a directory and that directory is not quarantined then perform a deep search within the directory for any file not quarantined.
- Any files found which are not quarantined are candidates for a File Quarantine violation.
Collection
Note: The collection sections of this report showcase specific log sources from Windows events, Sysmon, and elsewhere that you can use to collect relevant security information.
Quarantine extended attribute
The com.apple.quarantine extended attribute/notarization is key in alerting Gatekeeper that it should assess an object. LSFileQuarantineEnabled applications should always download files with the quarantine extended attribute tagged.
File Quarantine-enabled apps
File Quarantine-enabled applications opt users into File Quarantine protection by adding the LSFileQuarantineEnabled key to their Info.plist.
Endpoint Security events
Apple’s Endpoint Security subsystem provides notification/authorization events that defenders can subscribe to and incorporate into for detection. Process execution, file rename/creation events can be particularly useful. These events are triggered when macOS notifies Endpoint Security that either a process has/will execute or that a file creation operation is taking place. For simplicity, here we will discuss only notification events—but defenders can easily adapt this logic for authorization events that could theoretically block a Gatekeeper bypass event.
ES_EVENT_TYPE_NOTIFY_EXEC
Beyond what’s available in Endpoint Security, grab the property list of the application that launched (if it exists) as well.
ES_EVENT_TYPE_NOTIFY_RENAME
The source and destination paths are important here (directly provided by Endpoint Security). We’ll use the destination path to check for quarantine (use the method described above).
ES_EVENT_TYPE_NOTIFY_CREATE
Like the above, beyond what Endpoint Security provides, record:
- If the file is quarantined (use the method described above)
- Uniquely identifying information about the process responsible for creating this file
Detection opportunities
While it might seem like bypass activity happens outside the bounds of a security team’s visibility, there are a couple of detection analytics that might help security teams develop coverage for this technique. Here we will focus on the File Quarantine violation type, but other detection opportunities (which may be more complicated and should be done at the EDR level) exist for:
- Validating the integrity of expanded archives (we’ll briefly mention pseudo code)
- Application bundle anti-tamper
- Validation against Gatekeeper’s databases
- Code signing
Quarantine-aware application downloading unquarantined files
The following detection logic should identify files created by a File Quarantine-aware application that did not receive the quarantine extended attribute. This detection analytic handles the File Quarantine bypass type.
process_is == FileQuarantineAware
&& filemod_path_does_not_include ('/private/var/folders')
&&
filemod_propery_does_not_include ('com.apple.quarantine')The following analytic is specific to Safari.app and is based on research from Jamf Threat labs with CVE-2022-22616. This analytic checks to ensure that a file downloaded and expanded by Safari is quarantined.
process == "com.apple.Safari.SandboxBroker"
&&
(filemod_path_includes ('.download' || '.app')
&&
filemod_propery_does_not_include ('com.apple.quarantine'))
Quarantined-inflated archive’s files not quarantined
This analytic is added for EDR developers who want to gain insight into potential File Quarantine bypasses. This analytic will need to be developed at the sensor level.
// isFileQuarantined(path: String) -> Bool
// filesNotQuarantined(directoryPath: String, options: [...] = []) -> [String]
file_rename_destination_path_includes ('$HOME') && file_rename_source_path_includes ('com.apple.desktopservices.ArchiveService') && isFileQuarantined(file_rename_destination_path) && filesNotQuarantined(file_rename_destination_path).count > 0
Testing
The best way to test for a Gatekeeper bypass event is to think like an adversary and come up with some atomic examples of behavior:
- Can you build a detection for the above? If so, you can modify the detection in such a way to trigger an EICAR-like event.
- Build a basic macOS app that can download a file from the internet. Add an identifying key to its
Info.plist…something likeTEST-LSFileQuarantineEnabled. - Your modified detection analytic can now key off of this fake property list key and since the app will download a file without the quarantine extended attribute applied, the detection should trigger.
Additionally, more tests like the above can be created for other classes of bypasses (those independent of File Quarantine) like application bundle tampering, which instead largely relies on code-signing properties.