AN0245: Analytic 0245
Detects unauthorized TCC access or use of Quartz Event Services (CGEventTapCreate) or IOHID for event tap installation within unexpected processes.
Analyst context for executives and security teams
This analytic matters because it focuses on macOS processes attempting to gain sensitive input-event visibility through TCC-related access, Quartz Event Services, or IOHID event tap installation. For security leaders, the practical issue is whether the organization can tell the difference between expected accessibility/input-monitoring behavior and unexpected processes that may create privacy, credential exposure, or incident response concerns on managed Macs.
Executive priority
Prioritize this as a macOS endpoint visibility and control-validation question: which applications are allowed to receive sensitive accessibility or input-monitoring permissions, and can the SOC prove when unexpected processes attempt that behavior? This is relevant to executive risk decisions around endpoint hardening, identity protection, compliance evidence for privacy-sensitive access, and incident response readiness for Mac fleets.
Technical view
SOC and detection teams should validate whether macOS telemetry can identify unauthorized TCC access attempts and process use of Quartz Event Services, specifically CGEventTapCreate, or IOHID for event tap installation. Because ATT&CK provides no official detection logic and no relationship context for this analytic, teams should treat it as a detection objective rather than a complete rule. Focus validation on unexpected process names, signing status where available, parent process context, TCC permission state, and whether the process is known and approved for accessibility or input-monitoring functions.
Likely telemetry
- macOS endpoint process execution telemetry
- TCC permission and privacy-control events where available
- Endpoint security or EDR events related to accessibility/input monitoring behavior
- API or behavioral telemetry indicating CGEventTapCreate use
- IOHID-related event tap or input monitoring activity
Detection direction
- Inventory legitimate macOS applications that require accessibility or input-monitoring permissions to reduce false positives.
- Alert on event tap installation behavior by unexpected processes, especially where the process lacks an approved business purpose.
- Correlate TCC access changes with process execution and user context rather than relying on a single event.
- Tune carefully for legitimate assistive technology, remote support, automation, security tooling, and device-management software.
- Validate whether current EDR or macOS logging actually captures Quartz Event Services or IOHID behavior; absence of this telemetry is a material blind spot.
Mitigation priorities
- Establish and maintain an approved list of applications permitted to use macOS accessibility or input-monitoring capabilities.
- Use endpoint management controls to restrict or review sensitive TCC permissions where organizational policy allows.
- Harden macOS software installation and execution paths so unapproved processes are less likely to obtain sensitive permissions.
- Ensure incident response playbooks include review of TCC permissions, suspicious process context, and recently installed applications on affected Macs.
- Maintain audit evidence showing which applications are authorized for privacy-sensitive access and how exceptions are reviewed.
Analyst notes and limits
This object is a detection analytic for macOS only. It describes detection of unauthorized TCC access or use of Quartz Event Services via CGEventTapCreate or IOHID for event tap installation within unexpected processes. No ATT&CK tactics, relationships, aliases, or official detection procedure were supplied, so the take emphasizes validation requirements and telemetry gaps rather than a specific detection rule.
The supplied ATT&CK fields do not include official detection logic, related techniques, mitigations, data components, adversary use, or active exploitation context. Local application baselines, macOS management policy, and endpoint telemetry capabilities are required to determine practical coverage and priority.
Analytic 0245
Detects unauthorized TCC access or use of Quartz Event Services (CGEventTapCreate) or IOHID for event tap installation within unexpected processes.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 49e1119d9711… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0245Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.