AN0344: Analytic 0344
Detects mounting of external volumes followed by high-volume or sensitive file access via Finder, terminal, or third-party apps (e.g., rsync, zip).
Analyst context for executives and security teams
This analytic matters because external volume use on macOS can be a legitimate business workflow or a path for bulk movement of sensitive data. The decision value is not simply detecting that a drive was mounted, but validating whether the organization can connect a mount event to unusually large or sensitive file access through Finder, terminal activity, or common transfer/archive tools such as rsync or zip.
Executive priority
Prioritize this as a data-handling and investigation-readiness control for macOS environments. Leaders should ask whether the organization can prove who mounted external media, what was accessed afterward, and whether that activity involved regulated, confidential, or business-critical files. This supports incident response scoping, compliance evidence, insider-risk review, and control decisions around removable media and endpoint monitoring.
Technical view
For SOC and detection engineering teams, the key validation point is correlation: external volume mounting followed by high-volume or sensitive file access on macOS. Because ATT&CK provides no formal detection logic for this analytic, teams should define local thresholds for volume, sensitivity, timing window, user context, and expected business workflows. Coverage should include activity initiated through Finder, terminal sessions, and third-party utilities named in the object, including rsync and zip.
Likely telemetry
- macOS external volume mount events
- Endpoint file access metadata for local and mounted volumes
- Process execution telemetry for terminal-launched tools
- Application activity involving Finder and third-party file transfer or archive utilities
- Command-line or process metadata for rsync and zip where collected
Detection direction
- Validate that mount events and subsequent file access are collected on macOS endpoints, not just process starts.
- Correlate external volume mounting with large-volume file reads, copies, archive creation, or access to sensitive paths within a defined time window.
- Tune thresholds by role and workflow to reduce false positives from backup, creative/media, engineering, legal discovery, or IT support activity.
- Separate normal removable-media use from unusual combinations such as new device, unusual user, atypical host, after-hours access, or access to sensitive repositories.
- Account for blind spots where Finder activity, file metadata, or removable-media events are not centrally logged.
Mitigation priorities
- Confirm policy and technical requirements for removable media use on macOS systems.
- Ensure endpoint logging captures external volume mounts, file access, and relevant process metadata with sufficient retention for investigations.
- Define sensitive data locations or classification signals so detection can distinguish ordinary file access from higher-risk activity.
- Apply least-privilege and data access controls to reduce unnecessary exposure of sensitive files.
- Use removable-media restrictions, approval workflows, or monitoring where business risk justifies them.
Analyst notes and limits
This is a detection analytic object, not a technique description. Its value is in validating macOS telemetry and correlation coverage around external volume use followed by bulk or sensitive file access. The supplied object names Finder, terminal, rsync, zip, and third-party apps as relevant activity paths, but does not provide analytic logic, thresholds, tactics, or relationships.
Official detection content is not provided, tactics are unspecified, and no relationship context is supplied. Local environment data is required to define sensitive files, normal removable-media workflows, thresholds, and response actions. This summary does not assert active exploitation, attribution, or guaranteed detection coverage.
Analytic 0344
Detects mounting of external volumes followed by high-volume or sensitive file access via Finder, terminal, or third-party apps (e.g., rsync, zip).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a831029c28e5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0344Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.