Detect Gatekeeper Bypass in CrowdStrike LogScale
Adversaries bypass macOS Gatekeeper to execute untrusted applications without triggering security prompts. Gatekeeper enforces code signing and app notarization requirements. Bypass techniques include: removing the quarantine extended attribute (xattr -d com.apple.quarantine), using archive formats (.zip, .dmg, .iso) that strip quarantine on extraction, exploiting the first-launch trust mechanism, using DYLD_INSERT_LIBRARIES for code injection into trusted apps, and abusing symlinks to confuse Gatekeeper path checks. Malware widely abuses these techniques to run on macOS without triggering security warnings.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1553 Subvert Trust Controls
- Sub-technique
- T1553.001 Gatekeeper Bypass
- Canonical reference
- https://attack.mitre.org/techniques/T1553/001/
LogScale Detection Query
#event_simpleName = /ProcessRollup2|SyntheticProcessRollup2/
| CommandLine = /(?i)(xattr.+(-d|--delete)\s+com\.apple\.quarantine|xattr\s+-(c|r|dr)\s|spctl.+(--add|--enable|--master-disable|--global-disable)|DYLD_INSERT_LIBRARIES|DYLD_FRAMEWORK_PATH|DYLD_LIBRARY_PATH)/
| case {
CommandLine = /(?i)xattr.+(--delete|-d)\s+com\.apple\.quarantine/ | detection_type := "Quarantine_Attribute_Removed" ;
CommandLine = /(?i)xattr\s+-(c|r|dr)\s/ | detection_type := "Quarantine_Flags_Cleared" ;
CommandLine = /(?i)spctl.+(--add|--enable|--master-disable|--global-disable)/ | detection_type := "Spctl_Gatekeeper_Modified" ;
CommandLine = /(?i)(DYLD_INSERT_LIBRARIES|DYLD_FRAMEWORK_PATH|DYLD_LIBRARY_PATH)/ | detection_type := "DYLD_Injection_Detected" ;
* | detection_type := "Gatekeeper_Bypass_Other" ;
}
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, detection_type])
| sort(timestamp, order=desc)CrowdStrike Falcon LogScale (CQL) query detecting macOS Gatekeeper bypass by matching ProcessRollup2 and SyntheticProcessRollup2 event command lines against known bypass patterns. Classifies each match into quarantine attribute removal, flag clearing, spctl policy modification, and DYLD injection categories for triage prioritization. For quarantine database file events, supplement with a companion query filtering NewFileWrite or PlistFileWritten events on QuarantineEventsV2.
Data Sources
Required Tables
False Positives & Tuning
- Homebrew's install scripts call xattr -d com.apple.quarantine on every downloaded formula and cask binary, producing continuous high-volume Quarantine_Attribute_Removed alerts on developer workstations enrolled in Falcon
- Managed software deployment jobs initiated by Jamf Pro, Kandji, or Microsoft Intune for macOS generate spctl --add calls when configuring application approval policies during corporate software lifecycle operations
- The CrowdStrike Falcon sensor itself and other commercial EDR tools may rely on DYLD-based interposition as a core capability of their user-space monitoring components on macOS, particularly on older OS versions without System Extension support
Other platforms for T1553.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Remove Quarantine Attribute from a File
Expected signal: macOS Syslog/Unified Log: xattr command with -d com.apple.quarantine argument. Process creation for xattr binary.
- Test 2Check Gatekeeper Status
Expected signal: Process creation for spctl --status. macOS Unified Log entry for spctl execution.
- Test 3Disable and Re-enable Gatekeeper (Admin Required)
Expected signal: macOS Unified Log: spctl --master-disable event. Auth log: sudo authentication for spctl. Process creation for spctl.
Unlock Pro Content
Get the full detection package for T1553.001 including response playbook, investigation guide, and atomic red team tests.