AN0457: Analytic 0457

Chain: (1) execution of `pwpolicy` or MDM/DirectoryService reads of account policies; (2) optional read of `/Library/Preferences/com.apple.loginwindow` or config profiles; (3) follow-on credential probing or lateral movement by same user/session. Use unified logs and process telemetry.

EnterpriseAN0457AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic matters because it focuses on macOS activity that can reveal how account and login policies are configured, followed by suspicious credential probing or lateral movement in the same user/session. For leaders, the decision value is not simply whether `pwpolicy` runs, but whether the organization can connect policy-discovery activity to later identity misuse signals on macOS endpoints.

Executive priority

Prioritize this as a macOS identity and endpoint visibility validation item. Security leaders should ask whether SOC and IR teams can reconstruct a same-session chain across process execution, unified logs, policy reads, and later credential or movement activity. This supports incident decision-making, audit evidence for endpoint monitoring, and control prioritization around managed macOS fleets.

Technical view

Validate whether macOS telemetry can identify execution of `pwpolicy`, MDM or DirectoryService reads of account policies, optional reads of `/Library/Preferences/com.apple.loginwindow` or configuration profiles, and follow-on credential probing or lateral movement by the same user/session. Because no ATT&CK tactic or standalone detection logic is supplied, treat this as a correlation analytic rather than a single-event alert.

Likely telemetry

macOS unified logs
macOS process execution telemetry
MDM-related activity logs where available
DirectoryService read activity where available
File or preference access telemetry for `/Library/Preferences/com.apple.loginwindow`

Detection direction

Confirm that `pwpolicy` execution is logged with user, host, timestamp, parent process, and session context.
Validate visibility into MDM or DirectoryService account-policy reads, not only command-line process events.
Correlate optional loginwindow preference or configuration profile reads with later suspicious activity by the same user/session.
Tune carefully for administrative and help desk workflows that may legitimately inspect macOS account or login policies.
Avoid alerting on policy reads alone unless local baselines show they are unusual or they are followed by credential probing or lateral movement indicators.

Mitigation priorities

Establish complete macOS endpoint logging for unified logs and process telemetry before relying on this analytic.
Baseline legitimate administrative use of `pwpolicy`, DirectoryService, MDM reads, loginwindow preference access, and configuration profile inspection.
Strengthen identity monitoring so follow-on credential probing or lateral movement can be tied back to the same macOS user/session.
Limit administrative access and policy-inspection capability to approved roles where operationally feasible.
Use incident response playbooks that preserve macOS logs and process/session context when this chain is observed.

Analyst notes and limits

The supplied object is a detection analytic for macOS with a chain-based description. There are no supplied relationships, tactics, aliases, labels, or official detection text beyond the description, so the practical value is in validating telemetry and correlation capability rather than mapping to a broader ATT&CK behavior set.

This take is limited to the official STIX fields, external reference, and absence of relationship context supplied for AN0457. It does not establish active exploitation, actor attribution, business impact, or guaranteed detectability. Local macOS fleet configuration, MDM coverage, endpoint logging, and identity telemetry are required to determine actual coverage.

Official MITRE ATT&CK definition

Analytic 0457

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 228256bc7798a36d...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`228256bc7798…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0457
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use