| ID | Name |
|---|---|
| ATAGS-T1107.001 | Code Signing |
| ATAGS-T1107.002 | Code Signing Policy Modification |
| ATAGS-T1107.003 | Gatekeeper Bypass |
| ATAGS-T1107.004 | Install Root Certificate |
| ATAGS-T1107.005 | Mark-of-the-Web Bypass |
| ATAGS-T1107.006 | SIP and Trust Provider Hijacking |
Threat Actors may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.