AN0289: Analytic 0289
Detects unauthorized additions or changes to /Library/Security/SecurityAgentPlugins and suspicious process activity attempting to hook authentication APIs. Correlates file modifications with abnormal plugin loads in authentication flows.
Analyst context for executives and security teams
AN0289 is a macOS-focused detection analytic for unauthorized changes to /Library/Security/SecurityAgentPlugins and suspicious process activity that may hook authentication APIs. For leaders, the business issue is not just a file change: this path is tied to authentication behavior, so unapproved modifications can become an identity and workstation trust concern requiring fast validation by SOC and IR teams.
Executive priority
Prioritize this as a control-validation item for macOS fleets where authentication integrity matters, especially privileged user workstations and shared administrative systems. Leaders should ask whether the organization can prove who changed security plugin locations, whether those changes were approved, and whether endpoint telemetry can correlate file modifications with unusual authentication-flow plugin loading.
Technical view
Validate coverage on macOS for two linked signals from the official analytic description: additions or changes under /Library/Security/SecurityAgentPlugins, and abnormal plugin loads or process activity associated with authentication flows. Because ATT&CK provides no official detection logic and no relationship context for this object, teams should define local baselines for legitimate plugin changes and authentication-related process behavior before alerting broadly.
Likely telemetry
- macOS file creation, modification, and metadata changes for /Library/Security/SecurityAgentPlugins
- Endpoint process execution telemetry around authentication-related activity
- Plugin, library, or module load telemetry where available
- Endpoint detection and response events for suspicious process behavior attempting to hook authentication APIs
- Change-management or administrative activity records to validate whether plugin changes were authorized
Detection direction
- Correlate file modifications in /Library/Security/SecurityAgentPlugins with subsequent or nearby abnormal authentication-flow plugin loads.
- Tune for authorized software installs, operating system updates, and approved administrative changes to reduce false positives.
- Baseline normal macOS authentication plugin behavior by device role and management profile; unmanaged or lightly monitored endpoints are likely blind spots.
- Validate that telemetry captures both the file-system event and the related process/plugin-load behavior; either signal alone may be insufficient for confident triage.
- Document gaps explicitly because the official ATT&CK object does not provide a detection query or mapped tactics.
Mitigation priorities
- Restrict and monitor administrative write access to /Library/Security/SecurityAgentPlugins.
- Require change control for security plugin additions or modifications on managed macOS systems.
- Ensure endpoint monitoring is deployed and collecting file and process telemetry on macOS assets in scope.
- Prepare IR procedures for validating plugin legitimacy, recent administrative actions, and affected user authentication events.
- Use this analytic as compliance evidence only after proving collection, correlation, triage ownership, and exception handling in the local environment.
Analyst notes and limits
This object is a detection analytic, not a technique description. The supplied fields support macOS, the SecurityAgentPlugins path, suspicious authentication API hooking behavior, and correlation of file modification with abnormal plugin loading. No tactics, relationships, aliases, or official detection logic were supplied.
Assessment is limited to the official STIX fields and external reference provided. It does not establish active exploitation, adversary attribution, impact, or guaranteed detection coverage. Local macOS configuration, endpoint tooling, and approved administrative workflows are required to determine alert fidelity.
Analytic 0289
Detects unauthorized additions or changes to /Library/Security/SecurityAgentPlugins and suspicious process activity attempting to hook authentication APIs. Correlates file modifications with abnormal plugin loads in authentication flows.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 488345d557ed… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0289Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.