← Library
splApache-2.0from splunk/security_content

MacOS Gatekeeper Bypass

Detects known MacOS security bypass techniques that may be used to enable malicious code execution. Specifically monitors for attempts to remove the com.apple.quarantine attribute using xattr, or to disable Gatekeeper protections via spctl --master-disable, both of which can allow untrusted or malicious applications to execute without standard system safeguards.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/macos_gatekeeper_bypass.yml
| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

from datamodel=Endpoint.Processes where

(
    Processes.process = "*xattr*"
    Processes.process = "*com.apple.quarantine*"
)
OR
(
    Processes.process = "*spctl*"
    Processes.process = "*master-disable*"
)

by Processes.dest Processes.original_file_name Processes.parent_process_id
   Processes.process Processes.process_exec Processes.process_guid
   Processes.process_hash Processes.process_id
   Processes.process_current_directory Processes.process_name
   Processes.process_path Processes.user
   Processes.user_id Processes.vendor_product

| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `macos_gatekeeper_bypass_filter`