Which SIEM platforms have a T1553.001 detection rule?

df00tech provides T1553.001 (Gatekeeper Bypass) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Gatekeeper Bypass (T1553.001)?

Detecting Gatekeeper Bypass requires the following data sources: Process: Process Creation, File: File Modification, Microsoft Defender for Endpoint (macOS).

What severity and confidence is the T1553.001 detection?

The T1553.001 detection is rated high severity with high confidence.

What are common false positives for T1553.001?

Common false positives for T1553.001 include: Developers removing quarantine from their own development builds for testing; Enterprise IT deploying applications via MDM or managed distribution where quarantine removal is part of the deployment process; Software build systems removing quarantine from build artifacts before packaging.

T1553.001 IBM QRadar · QRadar

Detect Gatekeeper Bypass in IBM QRadar

Adversaries bypass macOS Gatekeeper to execute untrusted applications without triggering security prompts. Gatekeeper enforces code signing and app notarization requirements. Bypass techniques include: removing the quarantine extended attribute (xattr -d com.apple.quarantine), using archive formats (.zip, .dmg, .iso) that strip quarantine on extraction, exploiting the first-launch trust mechanism, using DYLD_INSERT_LIBRARIES for code injection into trusted apps, and abusing symlinks to confuse Gatekeeper path checks. Malware widely abuses these techniques to run on macOS without triggering security warnings.

MITRE ATT&CK

Tactic: Defense Evasion
Technique: T1553 Subvert Trust Controls
Sub-technique: T1553.001 Gatekeeper Bypass
Canonical reference: https://attack.mitre.org/techniques/T1553/001/

QRadar Detection Query

IBM QRadar (QRadar)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  "hostname" AS device_name,
  username,
  sourceip,
  LOGSOURCETYPENAME(devicetype) AS log_source_type,
  CASE
    WHEN UTF8(payload) ILIKE '%xattr%'
      AND (
        UTF8(payload) ILIKE '%-d com.apple.quarantine%'
        OR UTF8(payload) ILIKE '%--delete com.apple.quarantine%'
        OR UTF8(payload) ILIKE '%xattr -dr %'
        OR UTF8(payload) ILIKE '%xattr -c %'
      )
      THEN 'Quarantine_Attribute_Removed'
    WHEN UTF8(payload) ILIKE '%spctl%'
      AND (
        UTF8(payload) ILIKE '% --add%'
        OR UTF8(payload) ILIKE '%--enable%'
        OR UTF8(payload) ILIKE '%--master-disable%'
        OR UTF8(payload) ILIKE '%--global-disable%'
      )
      THEN 'Spctl_Gatekeeper_Modified'
    WHEN UTF8(payload) ILIKE '%DYLD_INSERT_LIBRARIES%'
      OR UTF8(payload) ILIKE '%DYLD_FRAMEWORK_PATH%'
      OR UTF8(payload) ILIKE '%DYLD_LIBRARY_PATH%'
      THEN 'DYLD_Injection_Detected'
    WHEN UTF8(payload) ILIKE '%QuarantineEventsV2%'
      AND UTF8(payload) NOT ILIKE '%launchservicesd%'
      AND UTF8(payload) NOT ILIKE '%tccd%'
      THEN 'Quarantine_DB_Modified'
  END AS detection_type,
  UTF8(payload) AS raw_event
FROM events
WHERE starttime > NOW() - 86400000
  AND LOGSOURCETYPENAME(devicetype) IN ('Apple Mac OS X', 'Apple macOS', 'Universal DSM')
  AND (
    (
      UTF8(payload) ILIKE '%xattr%'
      AND (
        UTF8(payload) ILIKE '%-d com.apple.quarantine%'
        OR UTF8(payload) ILIKE '%--delete com.apple.quarantine%'
        OR UTF8(payload) ILIKE '%xattr -c %'
        OR UTF8(payload) ILIKE '%xattr -dr %'
      )
    )
    OR (
      UTF8(payload) ILIKE '%spctl%'
      AND (
        UTF8(payload) ILIKE '% --add%'
        OR UTF8(payload) ILIKE '%--enable%'
        OR UTF8(payload) ILIKE '%--master-disable%'
        OR UTF8(payload) ILIKE '%--global-disable%'
      )
    )
    OR UTF8(payload) ILIKE '%DYLD_INSERT_LIBRARIES%'
    OR UTF8(payload) ILIKE '%DYLD_FRAMEWORK_PATH%'
    OR (
      UTF8(payload) ILIKE '%QuarantineEventsV2%'
      AND UTF8(payload) NOT ILIKE '%launchservicesd%'
      AND UTF8(payload) NOT ILIKE '%tccd%'
    )
  )
ORDER BY starttime DESC

high severity medium confidence

QRadar AQL query detecting macOS Gatekeeper bypass through ILIKE payload string matching against Apple macOS log sources. Searches raw event payloads for xattr quarantine removal commands, spctl policy modification flags, DYLD injection environment variables, and quarantine database access by non-system processes. Excludes known-benign system daemons launchservicesd and tccd from QuarantineEventsV2 alerts.

Data Sources

Apple Mac OS X QRadar log sourceApple macOS DSM via syslog forwardingUniversal DSM for custom macOS Unified Log forwarding

Required Tables

events

False Positives & Tuning

Automated CI/CD macOS build agents (Jenkins, GitHub Actions self-hosted runners, Buildkite) routinely call xattr -d on downloaded artifact binaries as part of build post-processing, creating sustained alert volume
IT-managed software deployment workflows executed by Munki, Jamf Pro, or similar MDM tooling invoke spctl --add to whitelist corporate applications, generating Spctl_Gatekeeper_Modified events at deployment scale
Authorized penetration testing engagements on macOS endpoints may set DYLD environment variables as part of privilege escalation chain testing or dynamic analysis

Download portable Sigma rule (.yml)

Other platforms for T1553.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Remove Quarantine Attribute from a File
Expected signal: macOS Syslog/Unified Log: xattr command with -d com.apple.quarantine argument. Process creation for xattr binary.
Test 2Check Gatekeeper Status
Expected signal: Process creation for spctl --status. macOS Unified Log entry for spctl execution.
Test 3Disable and Re-enable Gatekeeper (Admin Required)
Expected signal: macOS Unified Log: spctl --master-disable event. Auth log: sudo authentication for spctl. Process creation for spctl.

Last updated: 2026-04-13 Research depth: deep

References (3)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1553.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Gatekeeper Bypass in IBM QRadar

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1553.001

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1553.001

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox