AN0249: Analytic 0249
Correlates removable volume mounts (disk arbitration) with file I/O events on that volume, followed by same file execution shortly after insert.
Analyst context for executives and security teams
This analytic matters because it focuses on a practical macOS risk pattern: a removable volume is mounted, files are accessed on that volume, and the same file is executed soon after insertion. For leaders, the value is not the specific rule name but whether the organization can prove it has enough macOS endpoint visibility to identify potentially risky removable-media execution before it becomes an incident-response blind spot.
Executive priority
Prioritize this as a validation point for macOS endpoint monitoring, removable-media governance, and incident readiness. Security leaders should ask whether SOC teams can correlate device insertion, file activity, and process execution on macOS endpoints, and whether policy exceptions for legitimate removable media use are documented for audit and response decisions.
Technical view
For SOC and detection engineering teams, validate that macOS telemetry can correlate disk arbitration or removable volume mount events with file I/O on the mounted volume and subsequent execution of that same file within a short time window. Because ATT&CK does not provide official detection logic or related techniques here, local tuning should define the correlation window, path matching, user context, and handling of expected software installation or administrative workflows.
Likely telemetry
- macOS removable volume mount or disk arbitration events
- File I/O events on mounted removable volumes
- Process execution events with executable path, timestamp, user, and parent process where available
- Volume or device metadata sufficient to link file activity and execution to the same removable volume
- Endpoint inventory or policy context for systems where removable media use is expected
Detection direction
- Confirm the SOC can join mount, file I/O, and execution telemetry using timestamps, volume identifiers, and file paths.
- Tune the “shortly after insert” window against local macOS behavior to reduce noise from legitimate installers, support workflows, or user file access.
- Review blind spots where endpoint agents do not capture file I/O, removable volume metadata, or process execution paths on macOS.
- Use allowlisting or exception context carefully; an approved removable media workflow should not suppress all execution visibility.
- Create triage guidance that distinguishes simple file browsing from execution of a file sourced from the newly mounted volume.
Mitigation priorities
- Establish or review policy for removable media use on macOS endpoints, especially for sensitive roles and shared systems.
- Ensure macOS endpoint logging and EDR configuration capture removable volume mounts, file activity, and process execution events needed for correlation.
- Limit unnecessary removable media usage where business process allows, and document approved exceptions.
- Prepare incident response procedures for scoping which user, host, volume, and executed file were involved when this pattern appears.
- Use compliance evidence to show both preventive policy and detective telemetry coverage for removable-media execution risk.
Analyst notes and limits
This is a detection analytic object, not a technique description. Its main operational value is as a coverage test: can the environment correlate removable volume insertion, file access, and execution on macOS endpoints? No relationship context or tactic mapping was supplied, so interpretation should stay centered on the described telemetry pattern.
Official detection logic, tactics, relationships, aliases, and labels were not supplied. The object only specifies macOS as the platform and describes the intended correlation. Local validation is required to determine feasibility, expected noise, and control coverage.
Analytic 0249
Correlates removable volume mounts (disk arbitration) with file I/O events on that volume, followed by same file execution shortly after insert.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | fbd913d10654… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0249Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.