Adversaries may modify file attributes that signify programs are from untrusted sources to subvert Gatekeeper controls in macOS. When documents, applications, or programs are downloaded an extended attribute (xattr) called
com.apple.quarantine can be set on the file by the application performing the download. This attribute, also known as a quarantine flag, is read by Apple's Gatekeeper defense program when the file is run and provides a prompt to the user to allow or deny execution. Gatekeeper also monitors an application's usage of dynamic libraries (dylibs) loaded outside the application folder on any quarantined binary, often using the
dlopen function. If the quarantine flag is set in macOS 10.15+, Gatekeeper also checks for a notarization ticket and sends a cryptographic hash to Apple's servers to check for validity for all unsigned executables.
The quarantine flag is an opt-in system and not imposed by macOS. If an application opts-in, a file downloaded from the Internet will be given a quarantine flag before being saved to disk. Any application or user with write permissions to the file can change or strip the quarantine flag. With elevated permission (sudo), this attribute can be removed from any file. The presence of the
com.apple.quarantine quarantine flag can be checked with the xattr command
xattr -l /path/to/examplefile. Similarly, this attribute can be recursively removed from all files in a folder using xattr,
sudo xattr -d com.apple.quarantine /path/to/folder.
Apps and files loaded onto the system from a USB flash drive, optical disk, external hard drive, from a drive shared over the local network, or using the
curl command do not set this flag. Additionally, it is possible to avoid setting this flag using Drive-by Compromise, which may bypass Gatekeeper. 
If running with elevated privileges, OSX/Shlayer uses the
System settings can prevent applications from running that haven't been downloaded through the Apple Store which can help mitigate some of these issues.
|ID||Data Source||Data Component|
The removal of the
com.apple.quarantine flag by a user instead of the operating system is a suspicious action and should be examined further. Monitor and investigate attempts to modify extended file attributes with utilities such as
xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. Monitor software update frameworks that strip the
com.apple.quarantine flag when performing updates.
false values under the
LSFileQuarantineEnabled entry in an application's
Info.plist file (required by every application).
LSFileQuarantineEnabled indicates that an application does not use the quarantine flag. Unsandboxed applications with an unspecified
LSFileQuarantineEnabled entry will default to not setting the quarantine flag.
QuarantineEvents is a SQLite database containing a list of all files assigned the
com.apple.quarantine attribute, located at
~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2. Each event contains the corresponding UUID, timestamp, application, Gatekeeper score, and decision if it was allowed.