Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0800: Analytic 0800

Correlates suspicious removal or modification of the com.apple.quarantine extended attribute, manipulation of LSFileQuarantineEnabled values in Info.plist, and unexpected process execution of unsigned or non-notarized binaries. Also monitors abnormal trust validation failures in unified logs and unusual activity in QuarantineEvents database entries.

EnterpriseAN0800AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it focuses on macOS quarantine and trust signals that help organizations catch attempts to run software outside expected Apple safety checks. For executives and security leaders, the value is not simply detecting a file attribute change; it is validating whether the organization can see when macOS execution trust boundaries are weakened and when unsigned or non-notarized binaries run unexpectedly.

Executive priority

Prioritize this where macOS endpoints support business-critical users, privileged administrators, developers, or regulated workflows. Leaders should ask whether endpoint logging and SOC content can produce audit-ready evidence around quarantine attribute changes, Info.plist quarantine settings, unsigned or non-notarized execution, trust validation failures, and QuarantineEvents activity. This is a practical control-validation area for endpoint resilience, incident response readiness, and compliance evidence around software execution governance on macOS.

Technical view

AN0800 is a macOS detection analytic that correlates multiple signals: suspicious removal or modification of the com.apple.quarantine extended attribute, manipulation of LSFileQuarantineEnabled values in Info.plist, unexpected execution of unsigned or non-notarized binaries, abnormal trust validation failures in unified logs, and unusual QuarantineEvents database activity. SOC and detection teams should validate that these data sources are collected, normalized, time-correlated, and tied back to process, file, user, signing, notarization, and host context. Because no ATT&CK tactic or relationship context is supplied, this should be treated as a defensive analytic for macOS trust and quarantine control monitoring rather than mapped to a specific intrusion phase.

Likely telemetry

  • macOS extended attribute change evidence for com.apple.quarantine
  • Info.plist contents or modification events involving LSFileQuarantineEnabled
  • Process execution telemetry for unsigned or non-notarized binaries
  • macOS unified log entries related to trust validation failures
  • QuarantineEvents database entries and changes

Detection direction

  • Confirm endpoint tooling can observe extended attribute removal or modification, not only process execution.
  • Correlate quarantine attribute changes with subsequent execution of unsigned or non-notarized binaries to reduce noise.
  • Baseline legitimate software installation, developer, administrative, and IT support workflows that may modify quarantine-related attributes or plist values.
  • Review unified log trust validation failures alongside file reputation, signing, notarization, user, and parent process context before escalating.
  • Validate visibility into QuarantineEvents database activity and identify hosts where collection is missing or incomplete.

Mitigation priorities

  • Ensure macOS endpoint telemetry collection covers quarantine attributes, plist changes, process execution, signing or notarization metadata, unified logs, and QuarantineEvents where feasible.
  • Define approved administrative and software deployment workflows so detection rules can distinguish expected quarantine-related changes from suspicious activity.
  • Prioritize monitoring for privileged users, developer workstations, and business-critical macOS systems.
  • Use incident response playbooks that preserve file metadata, extended attributes, logs, and QuarantineEvents evidence before remediation.
  • Periodically test whether unsigned or non-notarized execution and quarantine-related changes generate actionable SOC alerts in the deployed environment.
Analyst notes and limits

The supplied object is a detection analytic, AN0800, for the enterprise ATT&CK domain and macOS platform. Its strongest decision value is coverage validation: whether the organization can observe and correlate macOS quarantine, trust validation, and unsigned or non-notarized execution signals. No relationships, tactics, or official detection logic were supplied, so mapping to a specific technique, campaign, or intrusion stage is not supported by the provided data.

This take is limited to the supplied STIX fields, official description, external reference, and the absence of relationship context. It does not assert active exploitation, attribution, impact, or guaranteed detection. Local macOS logging configuration, endpoint product capability, retention, and normal software management practices will determine practical coverage and false-positive rates.

Official MITRE ATT&CK definition

Analytic 0800

Correlates suspicious removal or modification of the com.apple.quarantine extended attribute, manipulation of LSFileQuarantineEnabled values in Info.plist, and unexpected process execution of unsigned or non-notarized binaries. Also monitors abnormal trust validation failures in unified logs and unusual activity in QuarantineEvents database entries.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
cf282d8b4f0d739f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle cf282d8b4f0d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0800
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use