Gatekeeper Bypass via Xattr
Detects macOS Gatekeeper bypass via xattr utility
Sigma rule (View on GitHub)
1title: Gatekeeper Bypass via Xattr
2id: f5141b6d-9f42-41c6-a7bf-2a780678b29b
3status: test
4description: Detects macOS Gatekeeper bypass via xattr utility
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/1fed40dc7e48f16ed44dcdd9c73b9222a70cca85/atomics/T1553.001/T1553.001.md
7 - https://www.loobins.io/binaries/xattr/
8author: Daniil Yugoslavskiy, oscd.community
9date: 2020/10/19
10modified: 2024/04/18
11tags:
12 - attack.defense_evasion
13 - attack.t1553.001
14logsource:
15 category: process_creation
16 product: macos
17detection:
18 selection:
19 Image|endswith: '/xattr'
20 CommandLine|contains|all:
21 - '-d'
22 - 'com.apple.quarantine'
23 condition: selection
24falsepositives:
25 - Legitimate activities
26level: low
References
Related rules
- Linux Command History Tampering
- Cisco Duo Successful MFA Authentication Via Bypass Code
- Invoke-Obfuscation Via Stdin
- HackTool - CoercedPotato Execution
- Invoke-Obfuscation CLIP+ Launcher