This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.
« Attempt to Delete an Okta Policy Rule Attempt to Disable Syslog Service »
Elastic Docs Elastic Security Solution [8.16] Detections and alerts Prebuilt rule reference

Attempt to Disable Gatekeeper

edit

Attempt to Disable Gatekeeper

edit

Detects attempts to disable Gatekeeper on macOS. Gatekeeper is a security feature that’s designed to ensure that only trusted software is run. Adversaries may attempt to disable Gatekeeper before executing malicious code.

Rule type: query

Rule indices:

  • auditbeat-*
  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • macOS
  • Threat Detection
  • Defense Evasion

Version: 100 (version history)

Added (Elastic Stack release): 7.12.0

Last modified (Elastic Stack release): 8.5.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule query

edit
event.category:process and event.type:(start or process_started) and
process.args:(spctl and "--master-disable")

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 100 (8.5.0 release)

  • Updated query, changed from:

    event.category:process and event.type:(start or process_started) and
process.args:(spctl and "--master-disable")
Version 3 (8.4.0 release)
  • Formatting only
Version 2 (8.3.0 release)
  • Formatting only
« Attempt to Delete an Okta Policy Rule Attempt to Disable Syslog Service »