EXPLORE
Sign In
← Back to Explore
T1553.001

Gatekeeper Bypass

Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time ...

macOS
6
Detections
2
Sources
0
Threat Actors

BY SOURCE

5elastic1sigma

PROCEDURES (6)

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Bypass1 detections

Auto-extracted: 1 detections for bypass

Bypass1 detections

Auto-extracted: 1 detections for bypass

Download1 detections

Auto-extracted: 1 detections for download

Download1 detections

Auto-extracted: 1 detections for download

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

DETECTIONS (6)

Attempt to Disable Gatekeeper
elasticmedium
Gatekeeper Bypass via Xattr
sigmalow
Gatekeeper Override and Execution
elastichigh
Quarantine Attrib Removed by Unsigned or Untrusted Process
elasticmedium
Suspicious Curl from macOS Application
elastichigh
Suspicious Outbound Network Connection via Unsigned Binary
elastichigh