Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0284: Analytic 0284

Monitors for TCC-bypassing or unauthorized access to input services like IOHIDSystem or Quartz Event Services used in keylogging or screen monitoring.

EnterpriseAN0284AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because unauthorized access to macOS input services can indicate attempts to bypass Apple privacy controls and observe user activity, such as keystrokes or screen interaction. For leaders, the practical issue is not just malware detection; it is whether the organization can prove that macOS endpoints are monitored for abuse of sensitive input and accessibility-style services that could expose credentials, confidential work, or regulated data.

Executive priority

Prioritize this where macOS systems are used by executives, developers, administrators, finance staff, or other users handling sensitive information. The key business question is whether endpoint monitoring, privacy-control governance, and incident response playbooks can identify and investigate unauthorized access to input services such as IOHIDSystem or Quartz Event Services. This supports resilience, audit evidence, and identity risk reduction because keylogging or screen monitoring can undermine otherwise strong authentication and access controls.

Technical view

For SOC and detection engineering teams, validate whether macOS telemetry can show processes accessing or attempting to bypass controls around input services, specifically IOHIDSystem and Quartz Event Services. Because the ATT&CK object provides no official detection logic and no relationship context, teams should treat AN0284 as a detection objective rather than a ready-to-run rule. Coverage assessment should focus on which endpoint sensors record relevant process, permission, and service-access activity, and whether alerts can distinguish expected accessibility, remote support, or management tools from unauthorized monitoring behavior.

Likely telemetry

  • macOS endpoint security or EDR events involving process access to input services
  • Process execution and process lineage for applications interacting with IOHIDSystem or Quartz Event Services
  • macOS privacy, permission, or TCC-related events where collected
  • Application authorization or configuration records for approved accessibility/input-monitoring use
  • Endpoint inventory showing macOS systems and approved remote support, accessibility, or monitoring software

Detection direction

  • Confirm whether existing macOS telemetry exposes access to IOHIDSystem and Quartz Event Services; many environments may not collect this detail by default.
  • Baseline legitimate business software that may interact with input services, such as approved accessibility, management, or support tooling, to reduce false positives.
  • Prioritize anomalous process lineage, unsigned or unapproved applications, unusual user context, or unexpected access by tools not normally associated with input monitoring.
  • Because no official detection is supplied, document the local analytic assumptions, tested data sources, and known blind spots before treating this as compliance or SOC coverage evidence.
  • Use relationship-free interpretation: do not infer a specific tactic, campaign, or technique beyond the supplied description of monitoring for TCC-bypassing or unauthorized input-service access.

Mitigation priorities

  • Maintain a governed inventory of macOS applications approved to use input-monitoring, accessibility, screen-monitoring, or remote-support capabilities.
  • Harden macOS privacy and permission management processes so exceptions are explicit, reviewed, and auditable.
  • Ensure endpoint security tooling is deployed and configured to collect relevant macOS process and permission/service-access telemetry.
  • Create an incident response procedure for suspected keylogging or screen monitoring that includes credential-risk assessment and user/system scoping.
  • Review high-risk macOS populations first, especially systems used for privileged administration or sensitive business workflows.
Analyst notes and limits

AN0284 is a detection analytic for macOS focused on TCC-bypassing or unauthorized access to input services like IOHIDSystem or Quartz Event Services. The most useful Glexia action is a coverage validation exercise: determine whether the organization can observe this behavior, separate approved input-monitoring use from suspicious access, and preserve evidence for investigation.

The supplied ATT&CK fields do not include official detection logic, tactics, relationships, procedures, mitigations, or data-source mappings. This take therefore avoids attribution, exploitation claims, and guaranteed detection. Local macOS configuration, endpoint tooling, approved software inventory, and logging depth are required to assess real coverage.

Official MITRE ATT&CK definition

Analytic 0284

Monitors for TCC-bypassing or unauthorized access to input services like IOHIDSystem or Quartz Event Services used in keylogging or screen monitoring.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
9e2bab7b619484c5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 9e2bab7b6194…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0284
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use