Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1248: Analytic 1248

Detection monitors modification of code signing attributes, Gatekeeper/quarantine flags, and insertion of new trust certificates via security add-trusted-cert. Identifies adversary use of xattr to strip quarantine flags from downloaded binaries. Correlates with abnormal module loads bypassing SIP protections.

EnterpriseAN1248AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it focuses on macOS trust and execution controls that often determine whether downloaded code is allowed to run. For leaders, the practical question is whether the organization can see attempts to weaken Gatekeeper/quarantine protections, alter code-signing trust, or introduce new trusted certificates before those changes become an incident response problem.

Executive priority

Prioritize this where macOS endpoints support privileged users, developers, executives, or regulated workflows. The business value is assurance: teams should be able to prove they monitor changes to code-signing attributes, quarantine flags, and trusted certificates, and can investigate suspicious module-loading behavior that may indicate local protection bypass attempts. This supports resilience, audit evidence, and incident decision-making for macOS fleets.

Technical view

For SOC and detection engineering, validate collection and correlation around macOS extended attribute changes, especially use of xattr to remove quarantine metadata from downloaded binaries; certificate trust changes involving security add-trusted-cert; modification of code-signing attributes; and abnormal module loads associated with bypassing SIP protections. ATT&CK does not provide a separate detection body or relationship context for this analytic, so local tuning must define what is normal for software deployment, developer tooling, endpoint management, and certificate administration.

Likely telemetry

  • macOS process execution telemetry, including command-line arguments for xattr and security
  • File metadata or extended attribute change events related to quarantine flags
  • Certificate trust store modification events, especially additions of trusted certificates
  • Code-signing attribute or validation-related events where available
  • Endpoint security telemetry for module loads and SIP-relevant protection signals

Detection direction

  • Confirm the organization actually collects command-line and file attribute telemetry on macOS endpoints, not only generic process start events.
  • Alert or hunt for xattr usage that strips quarantine attributes from downloaded binaries, with allowlisting for legitimate deployment and administrative workflows.
  • Monitor use of security add-trusted-cert and review whether certificate trust changes are expected, approved, and attributable to known management tooling.
  • Correlate trust or quarantine changes with subsequent execution or abnormal module-load behavior to reduce noise and improve investigation value.
  • Tune carefully for developer, IT administration, and MDM/software distribution activity, which may create legitimate events resembling the analytic focus.

Mitigation priorities

  • Establish governance for who can add trusted certificates or modify macOS trust settings.
  • Preserve Gatekeeper/quarantine enforcement expectations and investigate unauthorized removal of quarantine flags.
  • Restrict and monitor privileged administrative paths used to change certificate trust or endpoint security posture.
  • Use managed endpoint configuration to standardize macOS security settings and reduce unmanaged exceptions.
  • Create incident response playbooks for suspicious trust-store changes, quarantine stripping, and related execution events.
Analyst notes and limits

This Glexia take is based on ATT&CK analytic AN1248 for macOS. The object describes monitoring of code-signing attributes, Gatekeeper/quarantine flags, trusted certificate insertion through security add-trusted-cert, xattr removal of quarantine flags, and correlation with abnormal module loads bypassing SIP protections. No tactics or relationships were supplied, so prioritization should be driven by local macOS exposure and business role criticality.

The supplied ATT&CK object has no official detection section beyond the description and no relationship context. This summary does not assert active exploitation, attribution, impact, or existing detection coverage. Local validation is required to determine available telemetry, normal administrative behavior, and false-positive boundaries.

Official MITRE ATT&CK definition

Analytic 1248

Detection monitors modification of code signing attributes, Gatekeeper/quarantine flags, and insertion of new trust certificates via security add-trusted-cert. Identifies adversary use of xattr to strip quarantine flags from downloaded binaries. Correlates with abnormal module loads bypassing SIP protections.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
bad4f7403a0e8077...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle bad4f7403a0e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1248
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use