Techniques
Sample rules
MacOS Gatekeeper Bypass
- source: splunk
- technicques:
- T1553.001
Description
Detects known MacOS security bypass techniques that may be used to enable malicious code execution. Specifically monitors for attempts to remove the com.apple.quarantine attribute using xattr, or to disable Gatekeeper protections via spctl –master-disable, both of which can allow untrusted or malicious applications to execute without standard system safeguards.
Detection logic
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
(
Processes.process = "*xattr*"
Processes.process = "*com.apple.quarantine*"
)
OR
(
Processes.process = "*spctl*"
Processes.process = "*master-disable*"
)
by Processes.dest Processes.original_file_name Processes.parent_process_id
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id
Processes.process_current_directory Processes.process_name
Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `macos_gatekeeper_bypass_filter`