Attempt to Disable Gatekeeper
Detects attempts to disable Gatekeeper on macOS. Gatekeeper is a security feature that's designed to ensure that only trusted software is run. Adversaries may attempt to disable Gatekeeper before executing malicious code.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/11"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects attempts to disable Gatekeeper on macOS. Gatekeeper is a security feature that's designed to ensure that only
11trusted software is run. Adversaries may attempt to disable Gatekeeper before executing malicious code.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.*"]
15language = "kuery"
16license = "Elastic License v2"
17name = "Attempt to Disable Gatekeeper"
18references = [
19 "https://support.apple.com/en-us/HT202491",
20 "https://community.carbonblack.com/t5/Threat-Advisories-Documents/TAU-TIN-Shlayer-OSX/ta-p/68397",
21]
22risk_score = 47
23rule_id = "4da13d6e-904f-4636-81d8-6ab14b4e6ae9"
24setup = """## Setup
25
26This rule requires data coming in from Elastic Defend.
27
28### Elastic Defend Integration Setup
29Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
30
31#### Prerequisite Requirements:
32- Fleet is required for Elastic Defend.
33- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
34
35#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
36- Go to the Kibana home page and click "Add integrations".
37- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
38- Click "Add Elastic Defend".
39- Configure the integration name and optionally add a description.
40- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
41- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
42- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
43- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
44For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
45- Click "Save and Continue".
46- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
47For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
48"""
49severity = "medium"
50tags = [
51 "Domain: Endpoint",
52 "OS: macOS",
53 "Use Case: Threat Detection",
54 "Tactic: Defense Evasion",
55 "Data Source: Elastic Defend",
56 "Resources: Investigation Guide",
57]
58timestamp_override = "event.ingested"
59type = "query"
60
61query = '''
62event.category:process and host.os.type:macos and event.type:(start or process_started) and
63 process.args:(spctl and "--master-disable")
64'''
65note = """## Triage and analysis
66
67> **Disclaimer**:
68> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
69
70### Investigating Attempt to Disable Gatekeeper
71
72Gatekeeper is a macOS security feature that ensures only trusted software runs by verifying app signatures. Adversaries may attempt to disable it to execute unauthorized code, bypassing security checks. The detection rule identifies such attempts by monitoring process events for specific commands used to disable Gatekeeper, flagging potential defense evasion activities.
73
74### Possible investigation steps
75
76- Review the process event details to confirm the presence of the command `spctl --master-disable` in the `process.args` field, which indicates an attempt to disable Gatekeeper.
77- Identify the user account associated with the process event to determine if the action was initiated by a legitimate user or an unauthorized actor.
78- Check the `event.category` and `event.type` fields to ensure the event is categorized as a process start, which aligns with the rule's detection criteria.
79- Investigate the parent process of the flagged event to understand the context in which the Gatekeeper disabling attempt was made, looking for any suspicious or unexpected parent processes.
80- Examine recent process events on the same host to identify any subsequent or preceding suspicious activities that might indicate a broader attack or compromise.
81- Review system logs and other security alerts on the host for additional indicators of compromise or related malicious activities.
82- Assess the risk and impact of the event by considering the host's role, the sensitivity of data it handles, and any potential exposure resulting from the attempted Gatekeeper disablement.
83
84### False positive analysis
85
86- System administrators or IT personnel may intentionally disable Gatekeeper for legitimate software installations or troubleshooting. To manage this, create exceptions for known administrative accounts or specific maintenance windows.
87- Some legitimate applications may require Gatekeeper to be disabled temporarily for installation. Identify these applications and whitelist their installation processes to prevent false alerts.
88- Development environments on macOS might disable Gatekeeper to test unsigned applications. Consider excluding processes initiated by development tools or specific user accounts associated with development activities.
89- Automated scripts or management tools that configure macOS settings might trigger this rule. Review and adjust these scripts to ensure they are recognized as non-threatening, or exclude them from monitoring if they are verified as safe.
90
91### Response and remediation
92
93- Immediately isolate the affected macOS device from the network to prevent potential lateral movement or further execution of unauthorized code.
94- Terminate any suspicious processes associated with the attempt to disable Gatekeeper, specifically those involving the 'spctl --master-disable' command.
95- Conduct a thorough review of recent system changes and installed applications on the affected device to identify and remove any unauthorized or malicious software.
96- Restore Gatekeeper settings to their default state to ensure that only trusted software can be executed on the device.
97- Escalate the incident to the security operations team for further analysis and to determine if additional devices or systems may be affected.
98- Implement additional monitoring on the affected device and similar systems to detect any further attempts to disable Gatekeeper or other security features.
99- Review and update endpoint security policies to enhance protection against similar threats, ensuring that all macOS devices are configured to prevent unauthorized changes to security settings."""
100
101
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104[[rule.threat.technique]]
105id = "T1553"
106name = "Subvert Trust Controls"
107reference = "https://attack.mitre.org/techniques/T1553/"
108
109
110[rule.threat.tactic]
111id = "TA0005"
112name = "Defense Evasion"
113reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Attempt to Disable Gatekeeper
Gatekeeper is a macOS security feature that ensures only trusted software runs by verifying app signatures. Adversaries may attempt to disable it to execute unauthorized code, bypassing security checks. The detection rule identifies such attempts by monitoring process events for specific commands used to disable Gatekeeper, flagging potential defense evasion activities.
Possible investigation steps
- Review the process event details to confirm the presence of the command
spctl --master-disable
in theprocess.args
field, which indicates an attempt to disable Gatekeeper. - Identify the user account associated with the process event to determine if the action was initiated by a legitimate user or an unauthorized actor.
- Check the
event.category
andevent.type
fields to ensure the event is categorized as a process start, which aligns with the rule's detection criteria. - Investigate the parent process of the flagged event to understand the context in which the Gatekeeper disabling attempt was made, looking for any suspicious or unexpected parent processes.
- Examine recent process events on the same host to identify any subsequent or preceding suspicious activities that might indicate a broader attack or compromise.
- Review system logs and other security alerts on the host for additional indicators of compromise or related malicious activities.
- Assess the risk and impact of the event by considering the host's role, the sensitivity of data it handles, and any potential exposure resulting from the attempted Gatekeeper disablement.
False positive analysis
- System administrators or IT personnel may intentionally disable Gatekeeper for legitimate software installations or troubleshooting. To manage this, create exceptions for known administrative accounts or specific maintenance windows.
- Some legitimate applications may require Gatekeeper to be disabled temporarily for installation. Identify these applications and whitelist their installation processes to prevent false alerts.
- Development environments on macOS might disable Gatekeeper to test unsigned applications. Consider excluding processes initiated by development tools or specific user accounts associated with development activities.
- Automated scripts or management tools that configure macOS settings might trigger this rule. Review and adjust these scripts to ensure they are recognized as non-threatening, or exclude them from monitoring if they are verified as safe.
Response and remediation
- Immediately isolate the affected macOS device from the network to prevent potential lateral movement or further execution of unauthorized code.
- Terminate any suspicious processes associated with the attempt to disable Gatekeeper, specifically those involving the 'spctl --master-disable' command.
- Conduct a thorough review of recent system changes and installed applications on the affected device to identify and remove any unauthorized or malicious software.
- Restore Gatekeeper settings to their default state to ensure that only trusted software can be executed on the device.
- Escalate the incident to the security operations team for further analysis and to determine if additional devices or systems may be affected.
- Implement additional monitoring on the affected device and similar systems to detect any further attempts to disable Gatekeeper or other security features.
- Review and update endpoint security policies to enhance protection against similar threats, ensuring that all macOS devices are configured to prevent unauthorized changes to security settings.
References
Related rules
- Attempt to Install Root Certificate
- Attempt to Unload Elastic Endpoint Security Kernel Extension
- Creation of Hidden Launch Agent or Daemon
- Elastic Agent Service Terminated
- Execution via Electron Child Process Node.js Module