Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0644: Analytic 0644

Monitors Gatekeeper, spctl, and unified log entries for binaries executed with unexpected or untrusted signatures. Correlates file metadata changes with process launches where signature validation is skipped, altered, or fails but the process still executes.

EnterpriseAN0644AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is relevant to macOS environments because it focuses on whether applications or binaries are running even when Apple code-signing and Gatekeeper trust signals are unexpected, untrusted, skipped, altered, or failing. For leaders, the value is not simply “detect a bad file”; it is validating whether the organization can see when macOS execution trust controls are bypassed or ignored in practice.

Executive priority

Prioritize this where macOS endpoints support sensitive users, administrative workflows, engineering teams, or regulated business processes. The key business question is whether endpoint and SOC programs can produce evidence that macOS execution trust decisions are being monitored, investigated, and correlated with process activity. This can support incident response readiness, control assurance, and audit discussions around endpoint protection and software trust.

Technical view

SOC and detection teams should validate collection and correlation across Gatekeeper-related events, spctl/signature validation results, unified log entries, file metadata changes, and process launch telemetry on macOS. The analytic should focus on cases where a binary executes despite an unexpected or untrusted signature state, or where validation appears skipped, altered, or failed. Because no ATT&CK tactic or relationship context is supplied, teams should treat this as a macOS execution-trust monitoring analytic rather than mapping it to a specific adversary objective without local evidence.

Likely telemetry

  • macOS unified log entries related to Gatekeeper or code-signing decisions
  • spctl assessment output or equivalent signature validation events
  • Gatekeeper policy or assessment events
  • Process creation or launch telemetry for macOS binaries
  • File metadata changes associated with the executed binary

Detection direction

  • Confirm that macOS unified logs and endpoint telemetry retain enough detail to link signature assessment results to the actual process that executed.
  • Tune for binaries that execute after signature validation fails, is skipped, is altered, or reports an unexpected or untrusted signer.
  • Correlate file metadata changes with nearby process launches to reduce isolated log noise.
  • Review expected internal software, developer tools, and administrative workflows to reduce false positives from legitimate unsigned or locally built binaries.
  • Validate visibility on all supported macOS endpoint groups; missing unified log, process, or file metadata collection will materially weaken this analytic.

Mitigation priorities

  • Establish an inventory of expected signed software and trusted internal signing practices for macOS systems.
  • Ensure Gatekeeper and code-signing control expectations are documented and monitored through endpoint management and security operations processes.
  • Prioritize endpoint telemetry collection for unified logs, process launches, signature assessment, and file metadata changes before relying on this analytic for incident response decisions.
  • Create triage procedures for untrusted or failed-signature executions, including owner validation, source review, and containment criteria.
  • Use findings from this analytic to inform macOS hardening, software approval workflows, and compliance evidence around execution control monitoring.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic, AN0644, for macOS. Its official description centers on monitoring Gatekeeper, spctl, unified logs, file metadata changes, and process launches involving unexpected or untrusted signatures. No ATT&CK tactics, technique relationships, aliases, or official detection logic were supplied, so mapping and prioritization should be completed with local environment context.

This take is based only on the provided STIX fields, external reference, and empty relationship context. It does not establish active exploitation, actor use, impact, coverage, or a complete detection rule. Local macOS logging configuration, EDR capabilities, software signing practices, and retention policies determine whether this analytic is actionable.

Official MITRE ATT&CK definition

Analytic 0644

Monitors Gatekeeper, spctl, and unified log entries for binaries executed with unexpected or untrusted signatures. Correlates file metadata changes with process launches where signature validation is skipped, altered, or fails but the process still executes.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
bd3b7187dff2fa48...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle bd3b7187dff2…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0644
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use