AN0570: Analytic 0570
A non-whitelisted process receives TCC camera entitlement (kTCCServiceCamera), opens AppleCamera/AVFoundation device handles, writes .mov/.mp4 artifacts to unusual locations, and/or beacons/exfiltrates soon after.
Analyst context for executives and security teams
AN0570 is a macOS detection analytic focused on suspicious camera access: a process that is not on an approved list receives TCC camera entitlement, opens Apple camera or AVFoundation handles, writes video artifacts such as .mov or .mp4 files to unusual locations, and/or communicates externally soon afterward. For leaders, the practical issue is privacy, executive surveillance risk, and evidence readiness: organizations need to know whether they can prove which macOS processes accessed camera services, what files were created, and whether data left the endpoint.
Executive priority
Prioritize this analytic where macOS endpoints are used by executives, regulated teams, engineering staff, or other sensitive users. The decision value is not only malware detection; it is validating whether endpoint privacy controls, SOC telemetry, and incident response processes can answer camera-access questions quickly. This supports operational resilience, privacy/compliance evidence, and incident scoping when suspicious media creation or post-access network activity is observed.
Technical view
Validate macOS coverage for TCC camera entitlement events involving kTCCServiceCamera, process identity, device-handle access to AppleCamera or AVFoundation components, file creation of .mov/.mp4 artifacts, file paths considered unusual in the local environment, and network activity shortly after camera access. Because no official detection logic is provided and no related ATT&CK techniques are supplied, teams should treat this as a behavior pattern requiring local baselining of legitimate camera applications and approved business workflows.
Likely telemetry
- macOS TCC permission or entitlement events for kTCCServiceCamera
- Process execution and process identity metadata on macOS endpoints
- Device or framework access evidence for AppleCamera or AVFoundation
- File creation telemetry for .mov and .mp4 artifacts, including path and owning process
- Endpoint network connection telemetry following camera access
Detection direction
- Build or validate a whitelist of expected macOS camera-using applications before alerting on non-whitelisted processes.
- Correlate camera entitlement, camera/framework handle access, media file creation, and outbound network activity rather than relying on one signal alone.
- Tune for unusual media output locations based on local endpoint norms, user role, and sanctioned applications.
- Review false positives from conferencing, browser, recording, collaboration, accessibility, and media-production tools.
- Assess blind spots where TCC logs, endpoint process telemetry, file creation events, or short-window network correlation are not retained.
Mitigation priorities
- Maintain controlled approval of applications allowed to access camera services on macOS.
- Harden macOS privacy and device-access settings consistent with business requirements.
- Keep an accurate inventory of sanctioned camera-capable software and expected storage locations.
- Ensure endpoint monitoring captures process, file, TCC, and network evidence needed for investigation.
- Prepare incident response procedures for privacy-sensitive endpoint investigations, including preservation of media artifacts and related network evidence.
Analyst notes and limits
This object is a detection analytic for macOS only. The supplied ATT&CK fields provide a behavioral description but no official detection logic, tactics, relationships, aliases, or technique mappings. Defensive implementation should therefore be based on local baselines and telemetry validation rather than assuming a complete MITRE-defined rule.
No relationship context, official detection text, tactics, or linked techniques were supplied. This summary does not assert active exploitation, attribution, business impact, or guaranteed detection coverage. Local endpoint configuration and logging determine whether the analytic is actionable.
Analytic 0570
A non-whitelisted process receives TCC camera entitlement (kTCCServiceCamera), opens AppleCamera/AVFoundation device handles, writes .mov/.mp4 artifacts to unusual locations, and/or beacons/exfiltrates soon after.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 1c53e84c9840… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0570Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.