T1553.001 Google Chronicle · YARA-L

Detect Gatekeeper Bypass in Google Chronicle

Adversaries bypass macOS Gatekeeper to execute untrusted applications without triggering security prompts. Gatekeeper enforces code signing and app notarization requirements. Bypass techniques include: removing the quarantine extended attribute (xattr -d com.apple.quarantine), using archive formats (.zip, .dmg, .iso) that strip quarantine on extraction, exploiting the first-launch trust mechanism, using DYLD_INSERT_LIBRARIES for code injection into trusted apps, and abusing symlinks to confuse Gatekeeper path checks. Malware widely abuses these techniques to run on macOS without triggering security warnings.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1553 Subvert Trust Controls
Sub-technique
T1553.001 Gatekeeper Bypass
Canonical reference
https://attack.mitre.org/techniques/T1553/001/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule T1553_001_Gatekeeper_Bypass {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects macOS Gatekeeper bypass via xattr quarantine removal, spctl policy modification, DYLD library injection, or unauthorized quarantine database access"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1553.001"
    severity = "HIGH"
    confidence = "HIGH"
    platform = "macOS"

  events:
    (
      $proc.metadata.event_type = "PROCESS_LAUNCH"
      $proc.principal.platform = "MAC"
      (
        (
          re.regex($proc.target.process.file.full_path, `xattr$`) and
          (
            re.regex($proc.target.process.command_line, `-d com\.apple\.quarantine`) or
            re.regex($proc.target.process.command_line, `--delete com\.apple\.quarantine`) or
            re.regex($proc.target.process.command_line, `xattr -c `) or
            re.regex($proc.target.process.command_line, `xattr -(dr|r) `)
          )
        ) or
        (
          re.regex($proc.target.process.file.full_path, `spctl$`) and
          (
            re.regex($proc.target.process.command_line, `--add`) or
            re.regex($proc.target.process.command_line, `--enable`) or
            re.regex($proc.target.process.command_line, `--master-disable`) or
            re.regex($proc.target.process.command_line, `--global-disable`)
          )
        ) or
        (
          re.regex($proc.target.process.command_line, `DYLD_INSERT_LIBRARIES`) or
          re.regex($proc.target.process.command_line, `DYLD_FRAMEWORK_PATH`) or
          re.regex($proc.target.process.command_line, `DYLD_LIBRARY_PATH`)
        )
      )
    ) or
    (
      $file.metadata.event_type = "FILE_MODIFICATION"
      $file.principal.platform = "MAC"
      re.regex($file.target.file.full_path, `QuarantineEventsV2`)
      not re.regex($file.principal.process.file.full_path, `(launchservicesd|tccd|lsd)$`)
    )

  condition:
    $proc or $file
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting macOS Gatekeeper bypass using PROCESS_LAUNCH and FILE_MODIFICATION UDM events. Triggers on xattr quarantine attribute removal, spctl Gatekeeper policy changes, DYLD dynamic linker hijacking via environment variables, and unauthorized writes to the quarantine events database. Uses re.regex with backtick raw strings for pattern matching against UDM command_line and file path fields.

Data Sources

Chronicle UDM PROCESS_LAUNCH events from macOS endpointsChronicle UDM FILE_MODIFICATION eventsCrowdStrike Falcon, Carbon Black, or SentinelOne macOS telemetry forwarded to Chronicle via ingestion API

Required Tables

UDM entity type: PROCESS_LAUNCHUDM entity type: FILE_MODIFICATION

False Positives & Tuning

  • Software distribution pipelines using Autopkg, Munki, or similar open-source deployment tools automatically remove quarantine attributes during package preparation and managed software distribution workflows
  • Apple's own developer toolchain (Xcode, codesign, notarytool, altool) calls spctl for assessment and policy verification during the code signing and App Store notarization workflow
  • Endpoint detection and response agents from Objective-See, commercial EDR vendors, and Apple's own Endpoint Security Framework may use DYLD-based interposition internally during their sensor initialization or install phase
Download portable Sigma rule (.yml)

Other platforms for T1553.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Remove Quarantine Attribute from a File

    Expected signal: macOS Syslog/Unified Log: xattr command with -d com.apple.quarantine argument. Process creation for xattr binary.

  2. Test 2Check Gatekeeper Status

    Expected signal: Process creation for spctl --status. macOS Unified Log entry for spctl execution.

  3. Test 3Disable and Re-enable Gatekeeper (Admin Required)

    Expected signal: macOS Unified Log: spctl --master-disable event. Auth log: sudo authentication for spctl. Process creation for spctl.

Last updated: 2026-04-13 Research depth: deep
References (3)

Unlock Pro Content

Get the full detection package for T1553.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1553Subvert Trust Controls

Related Sub-techniques

T1553.002Code SigningT1553.003SIP and Trust Provider HijackingT1553.004Install Root CertificateT1553.005Mark-of-the-Web BypassT1553.006Code Signing Policy Modification

Related Techniques

T1553Subvert Trust ControlsT1553.006Code Signing Policy ModificationT1548.006TCC ManipulationT1204.002Malicious FileT1027.006HTML Smuggling

Same Tactic: Defense Evasion

Popular Detections