ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩、戴亦仑 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices


术语表: /attack/glossary

Gatekeeper 绕过

在macOS和OS X中,从Internet下载应用程序或程序时,在名为的文件上设置了特殊属性。苹果的Gatekeeper防御程序会在执行时读取此属性,并向用户提示允许或拒绝执行。

从USB闪存驱动器,光盘,外部硬盘驱动器甚至从本地网络共享的驱动器加载到系统上的应用程序都不会设置此标志。此外,其他实用程序或事件(例如“路过”下载)也不一定要对其进行设置。这完全绕过了内置的Gatekeeper检查。[1]的检疫标志的存在可以通过XATTR命令检查xattr /path/to/。类似地,给定sudo访问权限或提升的权限,也可以使用xattr删除此属性sudo xattr -r -d /path/to/


In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set on the file called This attribute is read by Apple's Gatekeeper defense program at execution time and provides a prompt to the user to allow or deny execution.

Apps loaded onto the system from USB flash drive, optical disk, external hard drive, or even from a drive shared over the local network won’t set this flag. Additionally, other utilities or events like drive-by downloads don’t necessarily set it either. This completely bypasses the built-in Gatekeeper check. The presence of the quarantine flag can be checked by the xattr command xattr /path/to/ for Similarly, given sudo access or elevated permission, this attribute can be removed with xattr as well, sudo xattr -r -d /path/to/

In typical operation, a file will be downloaded from the internet and given a quarantine flag before being saved to disk. When the user tries to open the file or application, macOS’s gatekeeper will step in and check for the presence of this flag. If it exists, then macOS will then prompt the user to confirmation that they want to run the program and will even provide the URL where the application came from. However, this is all based on the file being downloaded from a quarantine-savvy application.


ID编号: T1144

策略: 绕过防御

平台: macOS

所需权限: user,administrator

数据源: 文件监测,进程命令行参数

绕过防御: 应用程序白名单, 防病毒软件


名称 描述
CoinTicker (S0369) CoinTicker 使用curl 来下载EggShell mach-o二进制文件,该文件不会设置隔离标志。
Name Description
CoinTicker (S0369) CoinTicker downloads the EggShell mach-o binary using curl, which does not set the quarantine flag.


缓解 描述
执行预防 ( M1038) 系统设置可以阻止未通过Apple Store下载的应用程序运行,这可以帮助缓解其中的一些问题。
Mitigation Description
Execution Prevention(M1038) System settings can prevent applications from running that haven't been downloaded through the Apple Store which can help mitigate some of these issues.


Monitoring for the removal of the flag by a user instead of the operating system is a suspicious action and should be examined further. Monitor and investigate attempts to modify extended file attributes with utilities such as xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.