AN0164: Analytic 0164

Detect manipulation of system or application files in `/Library`, `/System`, or user data directories using FSEvents and Unified Logs. Identify anomalous process execution modifying plist files, structured data, or logs outside expected update cycles.

EnterpriseAN0164AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

AN0164 is a macOS-focused detection analytic for spotting suspicious changes to system, application, and user data files, especially plist files, structured data, and logs under paths such as /Library and /System. For leaders, the value is not the path names themselves; it is whether the organization can see unauthorized or unusual file manipulation that could affect endpoint integrity, persistence visibility, audit trails, or application behavior.

Executive priority

Prioritize this analytic as a validation point for macOS endpoint visibility and incident readiness. Security leaders should ask whether SOC teams collect FSEvents and Unified Logs at sufficient fidelity, whether normal software update and administrative maintenance windows are understood, and whether alerts can distinguish expected change from suspicious process-driven modification. This supports resilience, audit evidence, and faster incident scoping for macOS fleets, but the supplied ATT&CK object does not tie the analytic to a specific tactic, technique, actor, or impact scenario.

Technical view

For SOC, detection engineering, and IR teams, validate monitoring for file modifications in /Library, /System, and relevant user data directories on macOS. Focus on anomalous process execution that modifies plist files, structured data, or logs outside expected update cycles. Because ATT&CK provides no separate detection logic or relationship context for this analytic, local baselining is essential: known updater processes, MDM activity, administrator tooling, and scheduled maintenance should be modeled before escalating unusual writes as suspicious.

Likely telemetry

macOS FSEvents showing file creation, modification, deletion, or rename activity in /Library, /System, and user data directories
macOS Unified Logs associated with file modification, process activity, update activity, and application or system changes
Endpoint process execution metadata correlated to file write activity
File path, file type, timestamp, user, parent process, and code-signing or process identity context where available
Change records for expected software updates, MDM actions, and administrative maintenance windows

Detection direction

Confirm that FSEvents and Unified Logs are actually collected, retained, and searchable for monitored macOS systems.
Tune detections around modifications to plist files, structured data, and logs, especially when performed by processes not normally responsible for those changes.
Correlate file modification events with process execution and expected update cycles to reduce false positives from legitimate OS updates, application updates, MDM changes, and administrator activity.
Baseline normal macOS change patterns by device role and user population; unmanaged or lightly monitored endpoints are likely blind spots.
Treat this as a coverage validation analytic rather than a complete detection rule, because the official ATT&CK object does not provide detection pseudocode, thresholds, or technique relationships.

Mitigation priorities

Establish reliable macOS endpoint logging collection for FSEvents and Unified Logs before relying on this analytic operationally.
Maintain an inventory of expected software update mechanisms, MDM tools, administrative processes, and approved maintenance windows.
Restrict and review privileged access capable of modifying system and application directories.
Use change management and endpoint configuration controls to make unexpected modifications easier to distinguish from approved activity.
Ensure incident response playbooks include triage steps for suspicious plist, structured data, and log modification events on macOS.

Analyst notes and limits

The object is an ATT&CK detection analytic, not a technique. Its practical value is as a macOS visibility and change-monitoring control check. The strongest local validation question is whether file modification telemetry can be correlated with the responsible process and with expected update activity.

The supplied fields do not include an official detection rule, tactics, technique relationships, mitigations, actors, campaigns, or evidence of active exploitation. Conclusions should therefore be limited to macOS file-modification monitoring in the locations and data types named by ATT&CK. Local environment baselines are required to determine suspiciousness.

Official MITRE ATT&CK definition

Analytic 0164

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: f6c857a98c069db8...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`f6c857a98c06…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0164
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use