title: Gatekeeper Bypass (T1553.001)
id: df00tech-t1553-001
status: experimental
description: "Adversaries bypass macOS Gatekeeper to execute untrusted applications without triggering security prompts. Gatekeeper enforces code signing and app notarization requirements. Bypass techniques include: removing the quarantine extended attribute (xattr -d com.apple.quarantine), using archive formats (.zip, .dmg, .iso) that strip quarantine on extraction, exploiting the first-launch trust mechanism, using DYLD_INSERT_LIBRARIES for code injection into trusted apps, and abusing symlinks to confuse Gatekeeper path checks. Malware widely abuses these techniques to run on macOS without triggering security warnings."
references:
  - https://attack.mitre.org/techniques/T1553/001/
  - https://df00tech.com/detections/T1553.001
author: df00tech
date: 2026/04/13
tags:
  - attack.t1553.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Developers removing quarantine from their own development builds for testing
  - Enterprise IT deploying applications via MDM or managed distribution where quarantine removal is part of the deployment process
  - Software build systems removing quarantine from build artifacts before packaging
  - System administrators disabling Gatekeeper temporarily for authorized software installation
level: high