Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0888: Analytic 0888

Execution of commands or APIs that disable Gatekeeper, XProtect, or system integrity protections. Detect configuration changes through unified logs. Monitor termination of system security daemons (e.g., syspolicyd).

EnterpriseAN0888AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about spotting attempts on macOS to turn off built-in security protections such as Gatekeeper, XProtect, or system integrity controls, or to stop related security daemons such as syspolicyd. For leaders, the value is not just malware prevention; these controls are part of the trust baseline for managed endpoints, audit readiness, and incident containment. If an organization relies on macOS for privileged users, developers, executives, or operational staff, visibility into these changes helps confirm whether endpoint hardening is actually enforceable and observable.

Executive priority

Prioritize this where macOS endpoints are used for sensitive work or privileged access. The business question is: can the organization prove when core macOS security protections are disabled or interfered with, and can the SOC respond before that endpoint becomes a weak point in identity, data, or operational resilience? This supports control assurance, incident triage, and compliance evidence for endpoint protection configuration monitoring.

Technical view

Validate collection and alerting for macOS unified logs showing configuration changes related to Gatekeeper, XProtect, or system integrity protections, plus process or service telemetry that can identify termination of system security daemons such as syspolicyd. Because no tactic mapping or full detection logic is supplied, teams should treat this as a detection validation requirement rather than a complete rule. Confirm what legitimate administration, MDM activity, software installation, or troubleshooting workflows may change these settings so alerts can distinguish expected maintenance from suspicious weakening of protections.

Likely telemetry

  • macOS unified logs for security configuration changes
  • Endpoint process execution telemetry for commands or APIs affecting Gatekeeper, XProtect, or system integrity protections
  • Service or daemon status and termination events for security-related daemons such as syspolicyd
  • Device management or administrative change records that explain approved configuration changes
  • Endpoint security or EDR events showing protection state changes on macOS

Detection direction

  • Confirm macOS unified log collection is enabled, retained, and searchable for relevant security configuration changes.
  • Monitor for termination or abnormal stopping of system security daemons, especially syspolicyd as named in the ATT&CK description.
  • Correlate protection-disabling events with user, device, administrator, MDM, and change-management context to reduce false positives.
  • Test visibility against authorized administrative scenarios to identify blind spots before depending on the analytic in incident response.
  • Treat lack of supplied ATT&CK detection logic as a prompt to build local detection criteria, thresholds, and allowlists based on the organization’s macOS management model.

Mitigation priorities

  • Maintain a managed baseline for macOS security protections including Gatekeeper, XProtect, and system integrity protections.
  • Restrict who can make endpoint security configuration changes and require traceable administrative approval where possible.
  • Ensure MDM or endpoint management policies reassert required security settings after unauthorized or accidental changes.
  • Include macOS protection-state evidence in compliance, endpoint hardening, and incident response readiness reviews.
  • Prepare SOC runbooks for validating whether a protection change was approved administration, user troubleshooting, or potentially malicious activity.
Analyst notes and limits

The supplied object is a detection analytic for macOS only. It names the behavior to detect and key telemetry sources, but does not provide a full rule, tactic mapping, relationship context, or adversary association. Defensive value depends heavily on whether the organization collects macOS unified logs and can correlate them with endpoint management and administrative activity.

This take is limited to the official STIX fields, external reference, and the provided description. No active exploitation, attribution, impact, or guaranteed detection coverage is implied. Local baselines are required to determine expected administrative behavior and false-positive handling.

Official MITRE ATT&CK definition

Analytic 0888

Execution of commands or APIs that disable Gatekeeper, XProtect, or system integrity protections. Detect configuration changes through unified logs. Monitor termination of system security daemons (e.g., syspolicyd).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
1033b91b8779435c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 1033b91b8779…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0888
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use