Correlates suspicious removal or modification of the com.apple.quarantine extended attribute, manipulation of LSFileQuarantineEnabled values in Info.plist, and unexpected process execution of unsigned or non-notarized binaries. Also monitors abnormal trust validation failures in unified logs and unusual activity in QuarantineEvents database entries.
| Data Component | Name | Channel |
|---|---|---|
| File Metadata (DC0059) | macos:unifiedlog | xattr -d com.apple.quarantine or similar attribute removal commands |
| Process Creation (DC0032) | macos:unifiedlog | Trust validation failures or bypass attempts during notarization and code signing checks |
| File Modification (DC0061) | macos:osquery | Changes to LSFileQuarantineEnabled field in Info.plist |
| Field | Description |
|---|---|
| QuarantineBypassAllowList | Legitimate enterprise update tools or deployment frameworks that may strip quarantine flags |
| CertificateAuthorityList | Baseline trusted Apple Developer IDs and enterprise certs used for code signing |
| TimeWindow | Time correlation window for xattr modification followed by suspicious process execution |