{
  "type": "x-mitre-analytic",
  "spec_version": "2.1",
  "id": "x-mitre-analytic--b2261c7f-664b-400c-b8ba-8b5bc3bac75a",
  "created": "2025-10-21T15:10:28.402Z",
  "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
  "external_references": [
    {
      "source_name": "mitre-attack",
      "url": "https://attack.mitre.org/detectionstrategies/DET0004#AN0011",
      "external_id": "AN0011"
    }
  ],
  "object_marking_refs": [
    "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
  ],
  "modified": "2025-10-21T15:10:28.402Z",
  "name": "Analytic 0011",
  "description": "Modification of PATH or HOME environment variables through shell config files, launchctl, or /etc/paths.d entries, combined with process execution from attacker-controlled directories. Defender correlates file changes in /etc/paths.d with process execution resolving to malicious binaries.",
  "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
  "x_mitre_version": "1.0",
  "x_mitre_attack_spec_version": "3.3.0",
  "x_mitre_domains": [
    "enterprise-attack"
  ],
  "x_mitre_platforms": [
    "macOS"
  ],
  "x_mitre_log_source_references": [
    {
      "x_mitre_data_component_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8",
      "name": "macos:unifiedlog",
      "channel": "File modification in /etc/paths.d or user shell rc files"
    },
    {
      "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
      "name": "macos:unifiedlog",
      "channel": "Process execution path inconsistent with baseline PATH directories"
    }
  ],
  "x_mitre_mutable_elements": [
    {
      "field": "WatchedPathsDirs",
      "description": "Monitor /etc/paths.d and $HOME for unauthorized entries."
    },
    {
      "field": "TrustedExecutables",
      "description": "Baseline applications expected in user PATH directories."
    }
  ],
  "x_mitre_deprecated": false
}