AN0008: Analytic 0008
macOS clients joined to AD via LDAP may script account provisioning via `dsconfigad`, `dscl`, or LDAP scripts. Detection occurs when such tools run on a domain-joined system, followed by authentication attempts by a previously unseen account.
Analyst context for executives and security teams
This analytic matters because macOS systems joined to Active Directory can be used in scripted account provisioning workflows. The business risk is not the tools themselves, but the combination of directory-management activity on a domain-joined Mac followed by authentication from an account the environment has not seen before. That pattern can indicate a legitimate onboarding process, a misconfigured automation path, or suspicious account creation/use that deserves identity and SOC review.
Executive priority
Security leaders should treat this as an identity-governance and monitoring validation item for organizations that bind macOS endpoints to AD via LDAP. Priority should be driven by how much business-critical access depends on AD accounts, whether macOS administrative workflows are documented, and whether the SOC can correlate endpoint tool execution with first-seen account authentication. This is also useful audit evidence: it tests whether account lifecycle activity is observable across endpoint and directory/authentication logs.
Technical view
For macOS platforms, validate whether telemetry can show execution of directory/account-management tools such as dsconfigad, dscl, or LDAP scripting on domain-joined clients, and correlate that activity with subsequent authentication attempts by previously unseen accounts. Because no ATT&CK tactic or standalone detection logic is supplied, teams should implement this as a contextual correlation rather than a single-event alert. Baseline approved provisioning hosts, scripts, administrators, and expected onboarding windows before treating matches as high confidence.
Likely telemetry
- macOS process execution telemetry for directory and LDAP-related tooling
- Host inventory or configuration data showing whether the macOS client is AD/LDAP domain-joined
- Directory service or authentication logs showing account logon attempts
- Identity telemetry capable of identifying first-seen or previously unseen accounts
- Change-management or provisioning records to distinguish approved onboarding from unexpected activity
Detection direction
- Confirm the SOC can correlate macOS endpoint events with AD/LDAP authentication events across the same time window.
- Tune for domain-joined macOS systems only, since the supplied analytic is platform- and context-specific.
- Create allowlists or baselines for known provisioning scripts, approved administrators, and managed onboarding workflows to reduce false positives.
- Investigate cases where tool execution is followed by authentication from an account not previously observed in the environment.
- Watch for blind spots where macOS process telemetry exists but identity logs are unavailable, or where identity logs exist but cannot identify first-seen accounts.
Mitigation priorities
- Document and restrict authorized macOS account-provisioning workflows for AD/LDAP-bound clients.
- Ensure endpoint logging on macOS and directory authentication logging are both retained and searchable for correlation.
- Review privileges granted to users or scripts that can perform account provisioning or directory modifications.
- Use change-management evidence to validate expected account creation and onboarding activity.
- Periodically test whether new-account authentication can be traced back to an approved provisioning source.
Analyst notes and limits
The supplied object is a detection analytic, not a full ATT&CK technique, and has no relationship context or official detection content beyond the description. The most defensible use is as a coverage-validation question: can the organization observe account-management tooling on domain-joined macOS hosts and connect it to first-seen account authentication?
No tactics, relationships, procedure examples, mitigations, or detailed detection query are provided in the supplied ATT&CK fields. This take is limited to macOS and to the described AD/LDAP domain-joined context. Local baselines and environment-specific identity telemetry are required before determining severity or coverage.
Analytic 0008
macOS clients joined to AD via LDAP may script account provisioning via `dsconfigad`, `dscl`, or LDAP scripts. Detection occurs when such tools run on a domain-joined system, followed by authentication attempts by a previously unseen account.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a1dce0e60091… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0008Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.