Detect Gatekeeper Bypass in Sumo Logic CSE
Adversaries bypass macOS Gatekeeper to execute untrusted applications without triggering security prompts. Gatekeeper enforces code signing and app notarization requirements. Bypass techniques include: removing the quarantine extended attribute (xattr -d com.apple.quarantine), using archive formats (.zip, .dmg, .iso) that strip quarantine on extraction, exploiting the first-launch trust mechanism, using DYLD_INSERT_LIBRARIES for code injection into trusted apps, and abusing symlinks to confuse Gatekeeper path checks. Malware widely abuses these techniques to run on macOS without triggering security warnings.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1553 Subvert Trust Controls
- Sub-technique
- T1553.001 Gatekeeper Bypass
- Canonical reference
- https://attack.mitre.org/techniques/T1553/001/
Sumo Detection Query
_index=sec_record_*
| where !isNull(commandLine) or !isNull(filePath)
| eval detection_type = if(commandLine matches /(?i)xattr\s+(--delete|-d)\s+com\.apple\.quarantine/,
"Quarantine_Attribute_Removed",
if(commandLine matches /(?i)xattr\s+(-c|-r|-dr)\s/,
"Quarantine_Flags_Cleared",
if(commandLine matches /(?i)spctl\s+(--add|--enable|--master-disable|--global-disable)/,
"Spctl_Gatekeeper_Modified",
if(commandLine matches /(?i)(DYLD_INSERT_LIBRARIES|DYLD_FRAMEWORK_PATH|DYLD_LIBRARY_PATH)/,
"DYLD_Injection_Detected",
if(filePath matches /(?i)QuarantineEventsV2/
and !(processName matches /(?i)(quarantine|tccd|launchservicesd|lsd)/),
"Quarantine_DB_Modified",
null)))))
| where !isNull(detection_type)
| fields _messageTime, device_hostname, user_username, processName, commandLine, filePath, detection_type
| sort by _messageTime descSumo Logic CSE normalized record query detecting macOS Gatekeeper bypass using regex matching on ECS-normalized commandLine and filePath fields. Detects all four bypass vectors: quarantine attribute removal, spctl policy modification, DYLD injection via environment variables, and unauthorized quarantine database access by non-system processes. Requires macOS endpoint telemetry normalized into Sumo Logic CSE sec_record schema.
Data Sources
Required Tables
False Positives & Tuning
- Homebrew, MacPorts, and nix package managers invoke xattr with quarantine-removal flags on every package installation from their repositories, creating sustained alert volume on developer machines
- Corporate MDM deployment scripts executed by Jamf, Mosyle, or Kandji agents call spctl --add and spctl --enable as part of standard application whitelisting procedures during software lifecycle management
- Reverse engineering and malware analysis workflows on isolated sandbox machines legitimately set DYLD_INSERT_LIBRARIES to inject custom dynamic libraries for behavioral tracing of potentially malicious samples
Other platforms for T1553.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Remove Quarantine Attribute from a File
Expected signal: macOS Syslog/Unified Log: xattr command with -d com.apple.quarantine argument. Process creation for xattr binary.
- Test 2Check Gatekeeper Status
Expected signal: Process creation for spctl --status. macOS Unified Log entry for spctl execution.
- Test 3Disable and Re-enable Gatekeeper (Admin Required)
Expected signal: macOS Unified Log: spctl --master-disable event. Auth log: sudo authentication for spctl. Process creation for spctl.
Unlock Pro Content
Get the full detection package for T1553.001 including response playbook, investigation guide, and atomic red team tests.