T1553.001: Gatekeeper Bypass
Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.[1][2]
Based on an opt-in system, when files are downloaded an extended attribute (xattr) called `com.apple.quarantine` (also known as a quarantine flag) can be set on the file by the application performing the download. Launch Services opens the application in a suspended state. For first run applications with the quarantine flag set, Gatekeeper executes the following functions:
1. Checks extended attribute – Gatekeeper checks for the quarantine flag, then provides an alert prompt to the user to allow or deny execution.[3][4]
2. Checks System Policies - Gatekeeper checks the system security policy, allowing execution of apps downloaded from either just the App Store or the App Store and identified developers.
3. Code Signing – Gatekeeper checks for a valid code signature from an Apple Developer ID.
4. Notarization - Using the `api.apple-cloudkit.com` API, Gatekeeper reaches out to Apple servers to verify or pull down the notarization ticket and ensure the ticket is not revoked. Users can override notarization, which will result in a prompt of executing an “unauthorized app” and the security policy will be modified.
Adversaries can subvert one or multiple security controls within Gatekeeper checks through logic errors (e.g. Exploitation for Stealth), unchecked file types, and external libraries. For example, prior to macOS 13 Ventura, code signing and notarization checks were only conducted on first launch, allowing adversaries to write malicious executables to previously opened applications in order to bypass Gatekeeper security checks.[5][6]
Applications and files loaded onto the system from a USB flash drive, optical disk, external hard drive, from a drive shared over the local network, or using the curl command may not set the quarantine flag. Additionally, it is possible to avoid setting the quarantine flag using Drive-by Compromise.
Analyst context for executives and security teams
Gatekeeper Bypass matters because it targets a macOS trust decision that many organizations rely on to stop untrusted applications before users run them. If quarantine attributes, code-signing/notarization checks, or first-run trust controls are missing or subverted, a Mac can execute software that users and security teams expected macOS to challenge or block.
Executive priority
Treat this as a macOS control-assurance issue, not only a malware technique. Leaders should ask whether the organization can prove that managed Macs preserve quarantine metadata, enforce trusted execution policies, and generate evidence when trust controls are bypassed or modified. This is especially relevant for executive, developer, and creative workstations where software is frequently downloaded, transferred from external media, or introduced through development workflows.
Technical view
ATT&CK places this sub-technique under Subvert Trust Controls for macOS and defense impairment. SOC and IR teams should validate visibility into Gatekeeper-relevant events: quarantine flag presence or removal, first-run application execution, application bundle modification, code-signing/notarization outcomes, and software introduced through paths that may not set com.apple.quarantine such as external drives, local network shares, or command-line download activity. Because MITRE does not provide official detection text for this object, detection engineering should use the related DET0288 strategy as context and test local telemetry rather than assuming endpoint coverage exists.
Likely telemetry
- macOS extended attribute data, especially com.apple.quarantine on downloaded files and application bundles
- Endpoint process execution events for newly introduced or first-run applications
- File creation and modification events inside .app bundles and executable paths
- Code-signing, notarization, and trust-assessment results where available
- Download and file-introduction context from browsers, curl, removable media, optical media, external drives, and local network shares
Detection direction
- Confirm whether managed macOS telemetry records quarantine flag presence, removal, or absence at execution time; absence alone may be benign for some transfer paths and should be correlated with provenance and execution.
- Tune for suspicious modification of previously opened application bundles, especially where executable content changes after initial trust decisions.
- Correlate first-run execution, unsigned or unexpectedly signed code, notarization failures or overrides, and files introduced from paths that may not apply quarantine attributes.
- Account for false positives from legitimate software packaging, developer workflows, administrative tools, and approved internal applications that modify bundles or move files across network/removable media.
- Use relationship context from known macOS software examples as intelligence for test cases, but do not treat the presence of this technique as attribution.
Mitigation priorities
- Prioritize execution prevention for macOS so only trusted and authorized code can run, consistent with the related M1038 mitigation.
- Standardize macOS security policy settings for Gatekeeper, code signing, and notarization expectations across managed endpoints.
- Reduce uncontrolled software introduction from removable media, local shares, and unmanaged download paths where quarantine metadata may be absent.
- Harden and monitor developer and high-privilege workstations where application bundles and local build artifacts are common.
- Maintain audit evidence showing policy configuration, endpoint coverage, and response procedures for trust-control bypass attempts.
Analyst notes and limits
This object is macOS-specific and is a sub-technique of T1553 Subvert Trust Controls. MITRE links it to multiple macOS malware/software entries and to detection strategy DET0288, but the official detection field for the technique is not provided. The most useful defensive work is validating whether Gatekeeper assumptions hold in the organization’s real software acquisition and execution paths.
This take is limited to the supplied ATT&CK fields, references, and relationships. It does not establish current exploitation, prevalence, attribution, or guaranteed detection coverage. Local macOS version, endpoint tooling, MDM policy, user workflows, and available logs determine practical risk and coverage.
Gatekeeper Bypass
Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.[1][2]
Based on an opt-in system, when files are downloaded an extended attribute (xattr) called `com.apple.quarantine` (also known as a quarantine flag) can be set on the file by the application performing the download. Launch Services opens the application in a suspended state. For first run applications with the quarantine flag set, Gatekeeper executes the following functions:
1. Checks extended attribute – Gatekeeper checks for the quarantine flag, then provides an alert prompt to the user to allow or deny execution.[3][4]
2. Checks System Policies - Gatekeeper checks the system security policy, allowing execution of apps downloaded from either just the App Store or the App Store and identified developers.
3. Code Signing – Gatekeeper checks for a valid code signature from an Apple Developer ID.
4. Notarization - Using the `api.apple-cloudkit.com` API, Gatekeeper reaches out to Apple servers to verify or pull down the notarization ticket and ensure the ticket is not revoked. Users can override notarization, which will result in a prompt of executing an “unauthorized app” and the security policy will be modified.
Adversaries can subvert one or multiple security controls within Gatekeeper checks through logic errors (e.g. Exploitation for Stealth), unchecked file types, and external libraries. For example, prior to macOS 13 Ventura, code signing and notarization checks were only conducted on first launch, allowing adversaries to write malicious executables to previously opened applications in order to bypass Gatekeeper security checks.[5][6]
Applications and files loaded onto the system from a USB flash drive, optical disk, external hard drive, from a drive shared over the local network, or using the curl command may not set the quarantine flag. Additionally, it is possible to avoid setting the quarantine flag using Drive-by Compromise.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1553 | Subvert Trust Controls | This object subtechnique of Subvert Trust Controls. |
| Enterprise | T1144 | Gatekeeper Bypass | Gatekeeper Bypass revoked by this object. |
Groups, software, and campaigns
S0658: XCSSET
XCSSET is a modular macOS malware family delivered through infected Xcode projects and executed when the project is compiled. Active since August 2020, it has been observed installing backdoors, spoofed browsers, collecting data, and encrypting user files. It is composed of SHC-compiled shell scripts and run-only AppleScripts, often hiding in apps that mimic system tools (such as Xcode, Mail, or Notes) or use familiar icons (like Launchpad) to avoid detection.[1][2][3]
S0402: OSX/Shlayer
OSX/Shlayer is a Trojan designed to install adware on macOS that was first discovered in 2018.[1][2]
S1153: Cuckoo Stealer
Cuckoo Stealer is a macOS malware with characteristics of spyware and an infostealer that has been in use since at least 2024. Cuckoo Stealer is a universal Mach-O binary that can run on Intel or ARM-based Macs and has been spread through trojanized versions of various potentially unwanted programs or PUP's such as converters, cleaners, and uninstallers.[1][2]
S1016: MacMa
MacMa is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. MacMa has been observed in the wild since November 2021.[1] MacMa shares command and control and unique libraries with MgBot and Nightdoor, indicating a relationship with the Daggerfly threat actor.[2]
S0352: OSX_OCEANLOTUS.D
OSX_OCEANLOTUS.D is a macOS backdoor used by APT32. First discovered in 2015, APT32 has continued to make improvements using a plugin architecture to extend capabilities, specifically using `.dylib` files. OSX_OCEANLOTUS.D can also determine it's permission level and execute according to access type (`root` or `user`).[1][2][3]
S0369: CoinTicker
CoinTicker is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | ee7a9e2170da… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
TheEclecticLightCompany Quarantine and the flag
hoakley. (2020, October 29). Quarantine and the quarantine flag. Retrieved September 13, 2021.
Open source URL -
[2]
TheEclecticLightCompany apple notarization
How Notarization Works. (2020, August 28). How notarization works. Retrieved September 13, 2021.
Open source URL -
[3]
OceanLotus for OS X
Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017.
Open source URL -
[4]
20 macOS Common Tools and Techniques
Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
Open source URL -
[5]
theevilbit gatekeeper bypass 2021
Csaba Fitzl. (2021, June 29). GateKeeper - Not a Bypass (Again). Retrieved September 22, 2021.
Open source URL -
[6]
Application Bundle Manipulation Brandon Dalton
Brandon Dalton. (2022, August 9). A bundle of nerves: Tweaking macOS security controls to thwart application bundle manipulation. Retrieved September 27, 2022.
Open source URL -
[7]
mitre-attack T1553.001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.