Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0141: Analytic 0141

Suspicious file creation or modification in directories ignored by XProtect or AV exclusions (e.g., ~/Library, temporary cache directories). Defender perspective: monitor file events in ignored paths with correlation to execution or persistence activity.

EnterpriseAN0141AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it focuses on macOS files created or modified in locations that may be ignored by XProtect or antivirus exclusions, such as user Library and temporary cache paths. For leaders, the decision value is whether endpoint monitoring still provides visibility in places security tools may intentionally or operationally overlook. The behavior is material because suspicious activity in excluded paths can weaken confidence in prevention-only controls and can affect incident response timelines if file evidence is not collected.

Executive priority

Treat this as a macOS visibility and control-assurance question: do security teams know which paths are excluded from protection, and can they still produce audit-ready evidence of file activity there? Priority should go to validating endpoint telemetry, exclusion governance, and SOC correlation with execution or persistence indicators before relying on AV/XProtect coverage assumptions.

Technical view

For SOC, detection engineering, and IR teams, validate monitoring for file creation and modification events in macOS paths that are ignored by XProtect or configured AV exclusions, including examples such as ~/Library and temporary cache directories. Because the official detection field is not provided, the useful implementation direction is correlation-based: file activity in ignored paths should be reviewed alongside evidence of execution or persistence activity. Tactics are not specified for this analytic, and no relationship context is supplied, so local mapping to relevant ATT&CK techniques should be based on observed execution or persistence evidence in the environment.

Likely telemetry

  • macOS endpoint file creation events
  • macOS endpoint file modification events
  • Inventory of XProtect or antivirus exclusion paths
  • Process execution telemetry correlated to files in ignored paths
  • Persistence-related telemetry correlated to files in ignored paths

Detection direction

  • Confirm that endpoint tooling records file events inside paths excluded from XProtect or antivirus scanning, not only events from protected locations.
  • Tune detections around suspicious file creation or modification in ignored paths with correlation to execution or persistence activity, as stated in the analytic description.
  • Review false positives from legitimate application caches, user Library activity, software updates, and temporary files before escalating solely on path location.
  • Validate whether exclusion inventories are centrally governed and available to detection engineers; unknown or undocumented exclusions are a likely blind spot.
  • Because no official detection logic is provided, test with local benign examples and historical endpoint data before treating alerts as high-confidence.

Mitigation priorities

  • Maintain an approved inventory of macOS AV and XProtect exclusion paths and review it regularly.
  • Reduce unnecessary exclusions where operationally possible, especially broad user-writable or temporary directories.
  • Ensure endpoint monitoring still collects file activity in excluded paths even when prevention controls do not scan them.
  • Prioritize correlation between file events, execution, and persistence telemetry for alert triage and incident response evidence.
  • Use this analytic as a control-validation item for macOS endpoint hardening, SOC coverage reviews, and compliance evidence around endpoint monitoring.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for macOS only. It describes suspicious file creation or modification in directories ignored by XProtect or AV exclusions and recommends correlation with execution or persistence activity. No tactics, detection logic, aliases, labels, or relationship context were supplied, so this take avoids mapping the analytic to specific techniques or claiming coverage against a named adversary behavior.

The official detection field is not provided, and no relationships are supplied. Local exclusion lists, endpoint telemetry quality, macOS fleet configuration, and normal application behavior are required to determine whether this analytic is actionable and how noisy it will be.

Official MITRE ATT&CK definition

Analytic 0141

Suspicious file creation or modification in directories ignored by XProtect or AV exclusions (e.g., ~/Library, temporary cache directories). Defender perspective: monitor file events in ignored paths with correlation to execution or persistence activity.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
1c650a032d561200...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 1c650a032d56…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0141
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use