Potential Gatekeeper Bypass

In macOS, when applications or programs are downloaded from the internet, there is a special attribute set on the file. This attribute is read by Apple’s Gatekeeper defense program at execution time.

id:a4fe6af5-bc33-4e72-8241-eea885b95c46 categories:detect confidence:low os:macos created:7/26/2019 updated:7/26/2019

MITRE ATT&CK™ Mapping

tactics:Defense Evasion techniques:T1144 Gatekeeper Bypass

Query

process where subtype.create and
  process_name == "xattr" and
  command_line == "*com.apple.quarantine*"
| unique command_line

Contributors

• Endgame