DET0288 Detect Gatekeeper Bypass via Quarantine Flag and Trust Control Manipulation

Item	Value
ID	DET0288
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1553.001 (Gatekeeper Bypass)

Analytics

macOS

AN0800

Correlates suspicious removal or modification of the com.apple.quarantine extended attribute, manipulation of LSFileQuarantineEnabled values in Info.plist, and unexpected process execution of unsigned or non-notarized binaries. Also monitors abnormal trust validation failures in unified logs and unusual activity in QuarantineEvents database entries.

Log Sources

Data Component	Name	Channel
File Metadata (DC0059)	macos:unifiedlog	xattr -d com.apple.quarantine or similar attribute removal commands
Process Creation (DC0032)	macos:unifiedlog	Trust validation failures or bypass attempts during notarization and code signing checks
File Modification (DC0061)	macos:osquery	Changes to LSFileQuarantineEnabled field in Info.plist

Mutable Elements

Field	Description
QuarantineBypassAllowList	Legitimate enterprise update tools or deployment frameworks that may strip quarantine flags
CertificateAuthorityList	Baseline trusted Apple Developer IDs and enterprise certs used for code signing
TimeWindow	Time correlation window for xattr modification followed by suspicious process execution