{ "type": "x-mitre-analytic", "spec_version": "2.1", "id": "x-mitre-analytic--8cd02c43-f3f5-4623-a816-cefe1f586288", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0474#AN1307", "external_id": "AN1307" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1307", "description": "macOS environmental keying behavioral chain: (1) System information discovery through native utilities (system_profiler, sw_vers, hostname, dscl) and Security framework queries, (2) Hardware and software enumeration including serial numbers, installed applications, and system versions, (3) Network configuration assessment (networksetup, scutil) and wireless network discovery, (4) Keychain and security context validation, (5) Unified Logs correlation with cryptographic framework usage (CommonCrypto, Security.framework), (6) Application bundle execution following environmental validation", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_platforms": [ "macOS" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "name": "macos:unifiedlog", "channel": "process execution events for discovery utilities (system_profiler, sw_vers, dscl, networksetup) with command-line parameter analysis" }, { "x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "name": "macos:unifiedlog", "channel": "Security framework operations including keychain access, cryptographic operations, and certificate validation" }, { "x_mitre_data_component_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", "name": "fs:fsevents", "channel": "file system events indicating access to system configuration files and environmental information sources" } ], "x_mitre_mutable_elements": [ { "field": "SystemProfilerDataTypes", "description": "Specific system_profiler data types that adversaries commonly target (SPHardwareDataType, SPSoftwareDataType, SPNetworkDataType) - customize based on threat intelligence" }, { "field": "SecurityFrameworkOperationPatterns", "description": "Security.framework and CommonCrypto API usage patterns indicating cryptographic operations for environmental keying" }, { "field": "UnifiedLogRetentionWindow", "description": "Time window for correlating discovery activities with subsequent cryptographic operations - balance between detection coverage and log volume" }, { "field": "ApplicationBundleValidationPaths", "description": "Specific application bundle paths and identifiers that might be subject to environmental validation" }, { "field": "NetworkConfigurationIdentifiers", "description": "Organization-specific network configurations, WiFi SSIDs, and network services that adversaries might validate against" }, { "field": "MacOSVersionBaseline", "description": "Expected macOS versions and configurations in environment to identify version-specific environmental targeting" }, { "field": "FSEventsFilteringCriteria", "description": "File system event filtering criteria to focus on security-relevant file access patterns while managing event volume" } ], "x_mitre_deprecated": false }