TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Built-in macOS Security Tools | Huntress

2023-02-21 · Read original ↗

ATT&CK techniques detected

9 predictions
T1553.001Gatekeeper Bypass
98%
“that the app in question needs to be checked before opening it. this number gets updated depending on the action from the user after the initial opening. the second column is a hexadecimal timestamp. in a database, this maps over to something called mac absolute time. 61730334 th…”
T1553.001Gatekeeper Bypass
98%
“downloaded from the internet to be opened without the user ' s explicit permissions. gatekeeper is built on top of this. once an application is downloaded and we open it, we get the prompt from - again - the coreservicesuiagent to ask us if we want to open this application from t…”
T1553.001Gatekeeper Bypass
97%
“would not be. if an application is blocked, you will get a pop up informing you that it can ' t be opened, as it ' s from an ' unidentified developer '. gatekeeper first will check to see if the application is signed. it will then verify if that signer is legitimate or not. it fi…”
T1553.001Gatekeeper Bypass
97%
“does gatekeeper work alongside file quarantine? gatekeeper for a little background, gatekeeper is really just a frontend for the spctl binary on macos. you can use spctl directly from the command line to check if an application is signed and notarized, which is primarily gatekeep…”
T1553.001Gatekeeper Bypass
96%
“it is an additional step that apple uses to check software for nefariousness. gatekeeper also performs additional checks, such as verifying that notarized applications have not been modified by an unauthorized process, even after the first time it is double - clicked. gatekeeper …”
T1553.001Gatekeeper Bypass
93%
“this helps keep software from overreaching and accessing pieces of the system that the user has not explicitly given permission for. in the apple tool chest, tcc is somewhat of a one - off compared to some of the other tools and how they operate, so let ’ s dig into the nuts and …”
T1548.006TCC Manipulation
92%
“us a lot of information, so we can put a few constraints on our statement to grab just the information that i ’ m currently deeming as relevant. a sample of what we may get back is com. huntresslabs. agent | 6 | 0 | ktccservicesystempolicyallfiles these fields map over to a few d…”
T1548.006TCC Manipulation
49%
“it will present the user with an alert when an application attempts to use specific services for the first time. for example, in this screen capture, the user attempts to activate both the camera and the microphone. the coreservicesuiagent throws an alert to the user, prompting t…”
T1021.001Remote Desktop Protocol
30%
“anything that does not fall into one of them is encompassed by the xprotect binary. there is also an xprotectremediatormrtv3 binary, which is almost the exact same size as the mrt binary within the mrt. app. this makes it seem as if this will eventually replace the mrt. app. you …”

Summary

We discuss some of our favorite and most interesting built-in macOS security tools.