Shadow
Beware the no quarantine on MacOS apps and binaries downloaded via curl (or wget). Gatekeeper bypass, no quarantine attribute is set. When files are downloaded from the internet in normal fashion they should have the attribute set to enable gatekeeper protection. Bypass! #macos #bypassav #GatekeeperinMacOSX #vulnerability credit to @redcanary https://redcanary.com/threat-detection-report/techniques/gatekeeper-bypass/
Gatekeeper Bypass - Red Canary Threat Detection Report

Adversaries are finding new methods of subverting two of macOS’s key security checks: Gatekeeper and File Quarantine.

Red Canary
Apr 27, 2023 at 12:03pmWeb
Show threadJohn A Booth Apr 27, 2023
@defender @redcanary any experience with Google Santa? Curious how viable / valuable it is?
Show threadShadowApr 27, 2023
@johnabooth None but looking now 👀 https://github.com/google/Santa
GitHub - google/santa: A binary authorization and monitoring system for macOS

A binary authorization and monitoring system for macOS - GitHub - google/santa: A binary authorization and monitoring system for macOS

GitHub