xattr #

Created by Jason Trost (@jason_trost)

Description ##

The xattr command can be used to display, modify or remove the extended attributes of one or more files, including directories and symbolic links. Extended attributes are arbitrary metadata stored with a file, but separate from the filesystem attributes (such as modification time or file size). The metadata is often a null-terminated UTF-8 string, but can also be arbitrary binary data. xattr can be used to bypass Gatekeeper.

Paths ##

• /usr/bin/xattr

Use Cases ##

Bypass Gatekeeper via xattr ##

Use xattr to remove quaratine extended attribute from a file.

xattr -d com.apple.quarantine FILE

Bypass Gatekeeper via xattr ##

Use xattr to remove quaratine extended attribute from multiple files or directories.

xattr -d -r com.apple.quarantine *

Detections ##

• Gatekeeper Bypass via Xattr

• Jamf Protect: Detect activity related to xattr and extended attributes

Resources ##

• Threat Hunting the macOS edition Megan Carney (Report)

• GrrCon 2018: Threat Hunting the macOS edition Megan Carney