Detect Gatekeeper Bypass in Elastic Security
Adversaries bypass macOS Gatekeeper to execute untrusted applications without triggering security prompts. Gatekeeper enforces code signing and app notarization requirements. Bypass techniques include: removing the quarantine extended attribute (xattr -d com.apple.quarantine), using archive formats (.zip, .dmg, .iso) that strip quarantine on extraction, exploiting the first-launch trust mechanism, using DYLD_INSERT_LIBRARIES for code injection into trusted apps, and abusing symlinks to confuse Gatekeeper path checks. Malware widely abuses these techniques to run on macOS without triggering security warnings.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1553 Subvert Trust Controls
- Sub-technique
- T1553.001 Gatekeeper Bypass
- Canonical reference
- https://attack.mitre.org/techniques/T1553/001/
Elastic Detection Query
any where host.os.type == "macos" and (
(
event.category == "process" and
process.name == "xattr" and
process.command_line : ("* -d com.apple.quarantine*", "* --delete com.apple.quarantine*",
"*xattr -c *", "*xattr -r *", "*xattr -dr *")
) or
(
event.category == "process" and
process.name == "spctl" and
process.command_line : ("* --add*", "* --enable*", "* --master-disable*", "* --global-disable*")
) or
(
event.category == "process" and
process.command_line : ("*DYLD_INSERT_LIBRARIES*", "*DYLD_FRAMEWORK_PATH*", "*DYLD_LIBRARY_PATH*")
) or
(
event.category == "file" and
file.name == "QuarantineEventsV2" and
event.action in ("modification", "deletion") and
not process.name in ("quarantine", "tccd", "launchservicesd", "lsd")
)
)Detects macOS Gatekeeper bypass techniques using Elastic EQL with ECS field mappings. Covers quarantine attribute removal via xattr, Gatekeeper policy manipulation via spctl, DYLD dynamic linker injection through environment variables, and direct quarantine database tampering. Requires Elastic Endpoint Security agent deployed on macOS endpoints.
Data Sources
Required Tables
False Positives & Tuning
- Homebrew package manager removes quarantine attributes from downloaded taps and cask installations as part of its standard post-install hook, producing high-volume xattr -d alerts on developer endpoints
- Enterprise MDM solutions (Jamf Pro, Mosyle, Kandji) programmatically invoke spctl --add and xattr when deploying, validating, or whitelisting corporate managed applications across the fleet
- Legitimate developer tooling including Apple Instruments, LLDB, and third-party code coverage frameworks set DYLD_INSERT_LIBRARIES to inject analysis libraries into signed processes during local testing and CI pipelines
Other platforms for T1553.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Remove Quarantine Attribute from a File
Expected signal: macOS Syslog/Unified Log: xattr command with -d com.apple.quarantine argument. Process creation for xattr binary.
- Test 2Check Gatekeeper Status
Expected signal: Process creation for spctl --status. macOS Unified Log entry for spctl execution.
- Test 3Disable and Re-enable Gatekeeper (Admin Required)
Expected signal: macOS Unified Log: spctl --master-disable event. Auth log: sudo authentication for spctl. Process creation for spctl.
Unlock Pro Content
Get the full detection package for T1553.001 including response playbook, investigation guide, and atomic red team tests.