T1553.001 Gatekeeper Bypass Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1553.001 — Gatekeeper Bypass detection (macOS)
// Part 1: Detect xattr removal of quarantine attribute
let QuarantineRemoval = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "xattr"
| where ProcessCommandLine has_any ("-d com.apple.quarantine", "--delete com.apple.quarantine",
                                    "-c ", "-r ", "-dr")
| extend DetectionType = "Quarantine_Attribute_Removed"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 2: Detect spctl operations to add trusted sources or modify policy
let SpctlBypass = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "spctl"
| where ProcessCommandLine has_any ("--add", "--enable", "--master-disable",
                                    "--global-disable", "assessments")
| extend DetectionType = "Spctl_Gatekeeper_Modified"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, DetectionType;
// Part 3: Detect DYLD injection into Gatekeeper-trusted processes
let DYLDInject = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any ("DYLD_INSERT_LIBRARIES", "DYLD_FRAMEWORK_PATH",
                                    "DYLD_LIBRARY_PATH")
| extend DetectionType = "DYLD_Injection"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, DetectionType;
// Part 4: Detect writes to quarantine database removal
let QuarantineDB = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName =~ "QuarantineEventsV2" or
        FolderPath has "com.apple.LaunchServices"
| where ActionType in ("FileModified", "FileDeleted")
| where InitiatingProcessFileName !in~ ("quarantine", "tccd", "launchservicesd")
| extend DetectionType = "Quarantine_Database_Modified"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
          InitiatingProcessFileName, DetectionType;
union QuarantineRemoval, SpctlBypass, DYLDInject, QuarantineDB
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation File: File Modification Microsoft Defender for Endpoint (macOS)

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Developers removing quarantine from their own development builds for testing
Enterprise IT deploying applications via MDM or managed distribution where quarantine removal is part of the deployment process
Software build systems removing quarantine from build artifacts before packaging
System administrators disabling Gatekeeper temporarily for authorized software installation

Splunk

spl

index=mac_logs (sourcetype="macos:syslog" OR sourcetype="syslog" OR sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational")
| eval detection_type=case(
    match(_raw, "(?i)(xattr.*-d.*com\.apple\.quarantine|xattr.*--delete.*quarantine)"),
      "Quarantine_Attribute_Removed",
    match(_raw, "(?i)spctl") AND
      match(_raw, "(?i)(--add|--enable|--master-disable|--global-disable|assessments)"),
      "Spctl_Gatekeeper_Modified",
    match(_raw, "(?i)(DYLD_INSERT_LIBRARIES|DYLD_FRAMEWORK_PATH)"),
      "DYLD_Injection_Detected",
    match(_raw, "(?i)(QuarantineEventsV2|com\.apple\.LaunchServices.*Quarantine)") AND
      NOT match(_raw, "(?i)(launchservicesd|quarantine|tccd)"),
      "Quarantine_DB_Access",
    true(), null()
  )
| where isnotnull(detection_type)
| table _time, host, user, detection_type, _raw
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation macOS Syslog macOS Unified Log

Required Sourcetypes

macos:syslog syslog

False Positives

Developer workstations removing quarantine from dev builds
MDM-managed application deployment removing quarantine
Enterprise IT operations bypassing Gatekeeper for authorized installs

Elastic Security (EQL)

eql

any where host.os.type == "macos" and (
  (
    event.category == "process" and
    process.name == "xattr" and
    process.command_line : ("* -d com.apple.quarantine*", "* --delete com.apple.quarantine*",
                           "*xattr -c *", "*xattr -r *", "*xattr -dr *")
  ) or
  (
    event.category == "process" and
    process.name == "spctl" and
    process.command_line : ("* --add*", "* --enable*", "* --master-disable*", "* --global-disable*")
  ) or
  (
    event.category == "process" and
    process.command_line : ("*DYLD_INSERT_LIBRARIES*", "*DYLD_FRAMEWORK_PATH*", "*DYLD_LIBRARY_PATH*")
  ) or
  (
    event.category == "file" and
    file.name == "QuarantineEventsV2" and
    event.action in ("modification", "deletion") and
    not process.name in ("quarantine", "tccd", "launchservicesd", "lsd")
  )
)

high severity high confidence

Data Sources

Elastic Endpoint Security (macOS) Elastic Agent macOS process events Elastic Agent macOS file events

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-*

False Positives

Homebrew package manager removes quarantine attributes from downloaded taps and cask installations as part of its standard post-install hook, producing high-volume xattr -d alerts on developer endpoints
Enterprise MDM solutions (Jamf Pro, Mosyle, Kandji) programmatically invoke spctl --add and xattr when deploying, validating, or whitelisting corporate managed applications across the fleet
Legitimate developer tooling including Apple Instruments, LLDB, and third-party code coverage frameworks set DYLD_INSERT_LIBRARIES to inject analysis libraries into signed processes during local testing and CI pipelines

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  "hostname" AS device_name,
  username,
  sourceip,
  LOGSOURCETYPENAME(devicetype) AS log_source_type,
  CASE
    WHEN UTF8(payload) ILIKE '%xattr%'
      AND (
        UTF8(payload) ILIKE '%-d com.apple.quarantine%'
        OR UTF8(payload) ILIKE '%--delete com.apple.quarantine%'
        OR UTF8(payload) ILIKE '%xattr -dr %'
        OR UTF8(payload) ILIKE '%xattr -c %'
      )
      THEN 'Quarantine_Attribute_Removed'
    WHEN UTF8(payload) ILIKE '%spctl%'
      AND (
        UTF8(payload) ILIKE '% --add%'
        OR UTF8(payload) ILIKE '%--enable%'
        OR UTF8(payload) ILIKE '%--master-disable%'
        OR UTF8(payload) ILIKE '%--global-disable%'
      )
      THEN 'Spctl_Gatekeeper_Modified'
    WHEN UTF8(payload) ILIKE '%DYLD_INSERT_LIBRARIES%'
      OR UTF8(payload) ILIKE '%DYLD_FRAMEWORK_PATH%'
      OR UTF8(payload) ILIKE '%DYLD_LIBRARY_PATH%'
      THEN 'DYLD_Injection_Detected'
    WHEN UTF8(payload) ILIKE '%QuarantineEventsV2%'
      AND UTF8(payload) NOT ILIKE '%launchservicesd%'
      AND UTF8(payload) NOT ILIKE '%tccd%'
      THEN 'Quarantine_DB_Modified'
  END AS detection_type,
  UTF8(payload) AS raw_event
FROM events
WHERE starttime > NOW() - 86400000
  AND LOGSOURCETYPENAME(devicetype) IN ('Apple Mac OS X', 'Apple macOS', 'Universal DSM')
  AND (
    (
      UTF8(payload) ILIKE '%xattr%'
      AND (
        UTF8(payload) ILIKE '%-d com.apple.quarantine%'
        OR UTF8(payload) ILIKE '%--delete com.apple.quarantine%'
        OR UTF8(payload) ILIKE '%xattr -c %'
        OR UTF8(payload) ILIKE '%xattr -dr %'
      )
    )
    OR (
      UTF8(payload) ILIKE '%spctl%'
      AND (
        UTF8(payload) ILIKE '% --add%'
        OR UTF8(payload) ILIKE '%--enable%'
        OR UTF8(payload) ILIKE '%--master-disable%'
        OR UTF8(payload) ILIKE '%--global-disable%'
      )
    )
    OR UTF8(payload) ILIKE '%DYLD_INSERT_LIBRARIES%'
    OR UTF8(payload) ILIKE '%DYLD_FRAMEWORK_PATH%'
    OR (
      UTF8(payload) ILIKE '%QuarantineEventsV2%'
      AND UTF8(payload) NOT ILIKE '%launchservicesd%'
      AND UTF8(payload) NOT ILIKE '%tccd%'
    )
  )
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Apple Mac OS X QRadar log source Apple macOS DSM via syslog forwarding Universal DSM for custom macOS Unified Log forwarding

Required Tables

events

False Positives

Automated CI/CD macOS build agents (Jenkins, GitHub Actions self-hosted runners, Buildkite) routinely call xattr -d on downloaded artifact binaries as part of build post-processing, creating sustained alert volume
IT-managed software deployment workflows executed by Munki, Jamf Pro, or similar MDM tooling invoke spctl --add to whitelist corporate applications, generating Spctl_Gatekeeper_Modified events at deployment scale
Authorized penetration testing engagements on macOS endpoints may set DYLD environment variables as part of privilege escalation chain testing or dynamic analysis

Sumo Logic CSE

sql

_index=sec_record_*
| where !isNull(commandLine) or !isNull(filePath)
| eval detection_type = if(commandLine matches /(?i)xattr\s+(--delete|-d)\s+com\.apple\.quarantine/,
    "Quarantine_Attribute_Removed",
    if(commandLine matches /(?i)xattr\s+(-c|-r|-dr)\s/,
    "Quarantine_Flags_Cleared",
    if(commandLine matches /(?i)spctl\s+(--add|--enable|--master-disable|--global-disable)/,
    "Spctl_Gatekeeper_Modified",
    if(commandLine matches /(?i)(DYLD_INSERT_LIBRARIES|DYLD_FRAMEWORK_PATH|DYLD_LIBRARY_PATH)/,
    "DYLD_Injection_Detected",
    if(filePath matches /(?i)QuarantineEventsV2/
      and !(processName matches /(?i)(quarantine|tccd|launchservicesd|lsd)/),
    "Quarantine_DB_Modified",
    null)))))
| where !isNull(detection_type)
| fields _messageTime, device_hostname, user_username, processName, commandLine, filePath, detection_type
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic CSE normalized records (sec_record_*) macOS Endpoint Security Framework events forwarded via Sumo Logic macOS source CrowdStrike Falcon or SentinelOne macOS data normalized by Sumo Logic CSE mapper

Required Tables

sec_record_*

False Positives

Homebrew, MacPorts, and nix package managers invoke xattr with quarantine-removal flags on every package installation from their repositories, creating sustained alert volume on developer machines
Corporate MDM deployment scripts executed by Jamf, Mosyle, or Kandji agents call spctl --add and spctl --enable as part of standard application whitelisting procedures during software lifecycle management
Reverse engineering and malware analysis workflows on isolated sandbox machines legitimately set DYLD_INSERT_LIBRARIES to inject custom dynamic libraries for behavioral tracing of potentially malicious samples

Google Chronicle / SecOps

yaral

rule T1553_001_Gatekeeper_Bypass {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects macOS Gatekeeper bypass via xattr quarantine removal, spctl policy modification, DYLD library injection, or unauthorized quarantine database access"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1553.001"
    severity = "HIGH"
    confidence = "HIGH"
    platform = "macOS"

  events:
    (
      $proc.metadata.event_type = "PROCESS_LAUNCH"
      $proc.principal.platform = "MAC"
      (
        (
          re.regex($proc.target.process.file.full_path, `xattr$`) and
          (
            re.regex($proc.target.process.command_line, `-d com\.apple\.quarantine`) or
            re.regex($proc.target.process.command_line, `--delete com\.apple\.quarantine`) or
            re.regex($proc.target.process.command_line, `xattr -c `) or
            re.regex($proc.target.process.command_line, `xattr -(dr|r) `)
          )
        ) or
        (
          re.regex($proc.target.process.file.full_path, `spctl$`) and
          (
            re.regex($proc.target.process.command_line, `--add`) or
            re.regex($proc.target.process.command_line, `--enable`) or
            re.regex($proc.target.process.command_line, `--master-disable`) or
            re.regex($proc.target.process.command_line, `--global-disable`)
          )
        ) or
        (
          re.regex($proc.target.process.command_line, `DYLD_INSERT_LIBRARIES`) or
          re.regex($proc.target.process.command_line, `DYLD_FRAMEWORK_PATH`) or
          re.regex($proc.target.process.command_line, `DYLD_LIBRARY_PATH`)
        )
      )
    ) or
    (
      $file.metadata.event_type = "FILE_MODIFICATION"
      $file.principal.platform = "MAC"
      re.regex($file.target.file.full_path, `QuarantineEventsV2`)
      not re.regex($file.principal.process.file.full_path, `(launchservicesd|tccd|lsd)$`)
    )

  condition:
    $proc or $file
}

high severity high confidence

Data Sources

Chronicle UDM PROCESS_LAUNCH events from macOS endpoints Chronicle UDM FILE_MODIFICATION events CrowdStrike Falcon, Carbon Black, or SentinelOne macOS telemetry forwarded to Chronicle via ingestion API

Required Tables

UDM entity type: PROCESS_LAUNCH UDM entity type: FILE_MODIFICATION

False Positives

Software distribution pipelines using Autopkg, Munki, or similar open-source deployment tools automatically remove quarantine attributes during package preparation and managed software distribution workflows
Apple's own developer toolchain (Xcode, codesign, notarytool, altool) calls spctl for assessment and policy verification during the code signing and App Store notarization workflow
Endpoint detection and response agents from Objective-See, commercial EDR vendors, and Apple's own Endpoint Security Framework may use DYLD-based interposition internally during their sensor initialization or install phase

CrowdStrike LogScale (CQL)

cql

#event_simpleName = /ProcessRollup2|SyntheticProcessRollup2/
| CommandLine = /(?i)(xattr.+(-d|--delete)\s+com\.apple\.quarantine|xattr\s+-(c|r|dr)\s|spctl.+(--add|--enable|--master-disable|--global-disable)|DYLD_INSERT_LIBRARIES|DYLD_FRAMEWORK_PATH|DYLD_LIBRARY_PATH)/
| case {
    CommandLine = /(?i)xattr.+(--delete|-d)\s+com\.apple\.quarantine/ | detection_type := "Quarantine_Attribute_Removed" ;
    CommandLine = /(?i)xattr\s+-(c|r|dr)\s/ | detection_type := "Quarantine_Flags_Cleared" ;
    CommandLine = /(?i)spctl.+(--add|--enable|--master-disable|--global-disable)/ | detection_type := "Spctl_Gatekeeper_Modified" ;
    CommandLine = /(?i)(DYLD_INSERT_LIBRARIES|DYLD_FRAMEWORK_PATH|DYLD_LIBRARY_PATH)/ | detection_type := "DYLD_Injection_Detected" ;
    * | detection_type := "Gatekeeper_Bypass_Other" ;
  }
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, detection_type])
| sort(timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon sensor ProcessRollup2 events (macOS) CrowdStrike SyntheticProcessRollup2 events for script-launched child processes

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

Homebrew's install scripts call xattr -d com.apple.quarantine on every downloaded formula and cask binary, producing continuous high-volume Quarantine_Attribute_Removed alerts on developer workstations enrolled in Falcon
Managed software deployment jobs initiated by Jamf Pro, Kandji, or Microsoft Intune for macOS generate spctl --add calls when configuring application approval policies during corporate software lifecycle operations
The CrowdStrike Falcon sensor itself and other commercial EDR tools may rely on DYLD-based interposition as a core capability of their user-space monitoring components on macOS, particularly on older OS versions without System Extension support

Gatekeeper Bypass

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections