236. That's How SHAMOS Bypasses Gatekeeper Checks

Hello everyone!

Let's talk a bit about defense evasion. But not Windows. And not Linux. Today we're going to look at a procedure related to the following technique: Subvert Trust Controls: Gatekeeper Bypass (T1553.001).

And we'll look at SHAMOS, a variant of Atomic macOS Stealer (AMOS). To bypass Gatekeeper checks, it clears all attributes using xattr:

sudo -S xattr -c /tmp/update

We can hunt for clearing attributes for suspicious files located under /tmp:

event_type: "processcreatemac"

AND

proc_file_path: "xattr"

AND

cmdline: ("c" AND "tmp")

See you tomorrow!

Comments

Popular posts from this blog

391. Hunting for TeamPCP's Stealer

343. Ransomware Gangs Abuse SystemSettingsAdminFlows to Evade Defenses

013. It Can Remove Rootkits. And Your EDR!