AN0547: Analytic 0547
Detects modifications to authorization plugins responsible for MFA enforcement and correlates with suspicious login sessions missing MFA prompts.
Analyst context for executives and security teams
This analytic matters because it focuses on a macOS control point that can affect whether multi-factor authentication is actually enforced at login. For executives and security leaders, the decision value is not simply “detect a file change”; it is validating that MFA-dependent access controls cannot be silently weakened without SOC visibility and incident response follow-up.
Executive priority
Prioritize this where macOS endpoints are part of privileged, executive, developer, or regulated-access workflows. The business question is whether identity assurance depends on local authorization components that could be modified, and whether the organization has evidence to prove MFA enforcement remained intact during suspicious login activity. This supports resilience, access-control governance, and audit readiness, but local environment validation is required because ATT&CK provides no broader tactic mapping or relationship context for this analytic.
Technical view
For SOC, detection engineering, and IR teams, validate monitoring for macOS authorization plugin changes related to MFA enforcement and correlate those changes with login sessions that do not show expected MFA prompts. Because no official detection logic is supplied, teams should define the expected plugin locations, approved baselines, change windows, and normal login/MFA telemetry for their own macOS fleet before turning this into alerting.
Likely telemetry
- macOS file integrity or endpoint telemetry for authorization plugin modification events
- Endpoint security logs showing process, user, timestamp, and path context for relevant plugin changes
- Authentication or login session records from macOS systems
- MFA prompt, challenge, or enforcement records from the identity/MFA system
- Change-management records for approved MFA or authorization component updates
Detection direction
- Correlate authorization plugin modification events with subsequent or nearby macOS login sessions where expected MFA prompts are absent.
- Baseline legitimate MFA plugin updates and administrative maintenance to reduce false positives.
- Validate time synchronization between endpoint, login, and MFA systems so correlation is reliable.
- Check for blind spots where macOS endpoints report file changes but MFA prompt telemetry is unavailable, or where identity logs are not linked back to device login sessions.
- Treat unapproved modification plus missing MFA evidence as higher priority than either signal alone, consistent with the analytic description.
Mitigation priorities
- Inventory macOS systems where local authorization plugins participate in MFA enforcement.
- Restrict and monitor administrative ability to modify authorization-related components on those systems.
- Establish approved change procedures and integrity baselines for MFA enforcement components.
- Ensure MFA and endpoint telemetry are retained and can be correlated during incident response.
- Periodically test whether expected macOS login events generate both endpoint evidence and MFA prompt/enforcement evidence.
Analyst notes and limits
This object is a detection analytic for macOS, external ID AN0547, tied to MITRE DET0190. The useful defensive concept is correlation: plugin modification alone may be administrative, and a missing MFA prompt alone may require context, but together they raise concern about MFA enforcement integrity.
ATT&CK provides no official detection logic, no tactics, no relationships, no aliases, and no additional platform scope beyond macOS. This take does not infer active exploitation, adversary attribution, impact, or guaranteed detection coverage. Implementation depends on local MFA architecture, endpoint logging, and identity telemetry.
Analytic 0547
Detects modifications to authorization plugins responsible for MFA enforcement and correlates with suspicious login sessions missing MFA prompts.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 119cf96d4c7b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0547Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.