<noframes id="vfxvr">

    <track id="vfxvr"></track>

      <span id="vfxvr"></span>

          ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引頁]

          譯者: 林妙倩(清華大學網絡研究院網絡空間安全實習生)、戴亦侖(賽寧網安) 原創翻譯作品,如果需要轉載請取得翻譯作者同意。

          數據來源:ATT&CK Matrices

          原文: https://attack.mitre.org/techniques/T1144

          術語表: /attack/glossary

          Gatekeeper 繞過

          在macOS和OS X中,從Internet下載應用程序或程序時,在名為的文件上設置了特殊屬性com.apple.quarantine。蘋果的Gatekeeper防御程序會在執行時讀取此屬性,并向用戶提示允許或拒絕執行。

          從USB閃存驅動器,光盤,外部硬盤驅動器甚至從本地網絡共享的驅動器加載到系統上的應用程序都不會設置此標志。此外,其他實用程序或事件(例如“路過”下載)也不一定要對其進行設置。這完全繞過了內置的Gatekeeper檢查。[1]的檢疫標志的存在可以通過XATTR命令檢查xattr /path/to/MyApp.appcom.apple.quarantine。類似地,給定sudo訪問權限或提升的權限,也可以使用xattr刪除此屬性sudo xattr -r -d com.apple.quarantine /path/to/MyApp.app。

          在典型操作中,文件將從互聯網上下載并被隔離,然后保存到磁盤。當用戶嘗試打開文件或應用程序時,macOS的網守將介入并檢查此標志的存在。如果存在,則macOS會提示用戶確認他們要運行該程序,甚至會提供應用程序來源的URL。但是,所有這些都基于從隔離應用程序下載的文件。

          In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set on the file called com.apple.quarantine. This attribute is read by Apple's Gatekeeper defense program at execution time and provides a prompt to the user to allow or deny execution.

          Apps loaded onto the system from USB flash drive, optical disk, external hard drive, or even from a drive shared over the local network won’t set this flag. Additionally, other utilities or events like drive-by downloads don’t necessarily set it either. This completely bypasses the built-in Gatekeeper check. The presence of the quarantine flag can be checked by the xattr command xattr /path/to/MyApp.app for com.apple.quarantine. Similarly, given sudo access or elevated permission, this attribute can be removed with xattr as well, sudo xattr -r -d com.apple.quarantine /path/to/MyApp.app.

          In typical operation, a file will be downloaded from the internet and given a quarantine flag before being saved to disk. When the user tries to open the file or application, macOS’s gatekeeper will step in and check for the presence of this flag. If it exists, then macOS will then prompt the user to confirmation that they want to run the program and will even provide the URL where the application came from. However, this is all based on the file being downloaded from a quarantine-savvy application.

          標簽

          ID編號: T1144

          策略: 繞過防御

          平臺: macOS

          所需權限: user,administrator

          數據源: 文件監測,進程命令行參數

          繞過防御: 應用程序白名單, 防病毒軟件

          程序示例

          名稱 描述
          CoinTicker (S0369) CoinTicker 使用curl 來下載EggShell mach-o二進制文件,該文件不會設置隔離標志。
          Name Description
          CoinTicker (S0369) CoinTicker downloads the EggShell mach-o binary using curl, which does not set the quarantine flag.

          緩解措施

          緩解 描述
          執行預防 ( M1038) 系統設置可以阻止未通過Apple Store下載的應用程序運行,這可以幫助緩解其中的一些問題。
          Mitigation Description
          Execution Prevention(M1038) System settings can prevent applications from running that haven't been downloaded through the Apple Store which can help mitigate some of these issues.

          檢測

          com.apple.quarantine由用戶(而不是操作系統)監視刪除標志的行為是可疑的操作,應進一步檢查。監視和調查使用實用程序(例如)修改擴展文件屬性的嘗試xattr。內置的系統實用程序可能會生成高誤報警報,因此請與基準知識相比較,以了解系統的典型使用方式,并在可能的情況下將修改事件與其他惡意活動指示相關聯

          Monitoring for the removal of the com.apple.quarantine flag by a user instead of the operating system is a suspicious action and should be examined further. Monitor and investigate attempts to modify extended file attributes with utilities such as xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.

          欧美日韩国产亚洲,天天射影院,大芭蕉天天视频在线观看,欧美肥老太牲交大片,奇米色888,黄三级高清在线播放,国产卡一卡二卡三卡四,亚洲第一黄色视频 日韩中文字幕中文有码,日本A级作爱片一,奇米第四,三级片短片视频免费在线观看,奇米网狠狠网,影音先锋色AV男人资源网,日本丰满熟妇hd 日本日韩中文字幕无区码,涩 色 爱 性,天天射影视,中文字幕制服丝袜第57页,777米奇影院奇米网狠狠,尤物TV国产精品看片在线,欧洲女同牲恋牲交视频 久久AV天堂日日综合,亚洲性爱影院色yeye,日韩亚洲欧美Av精品,十八禁全身裸露全彩漫画,奇米网影视,人人爽人人澡人人人妻,动漫AV专区,天天色综合影院 日韩精品中文字幕,特级无码毛片免费视频,人妻少妇不卡无码视频,制服丝袜有码中文字幕在线,深爱激动情网婷婷,影音先锋全部色先锋,香港三级日本三级韩级人妇 日韩欧美亚洲综合久久在线视频,2021XX性影院,玖玖资源站最稳定网址,日韩亚洲制服丝袜中文字幕,国产超碰人人模人人爽人人喊,先锋色熟女丝袜资源 很黄特别刺激又免费的视频,2021一本久道在线线观看,色中娱乐黄色大片,日本高清不卡在线观看播放,97国产自在现线免费视频,国产在线精品亚洲第一区 免费中文字幕精品一区二区 视频,狠狠爱俺也色,天天好逼网,日韩制服丝袜,国产女人大象蕉视频在线观看,国产 精品 自在 线免费,午夜时刻在线观看