AN0592: Analytic 0592
Domain logins using network accounts or mobile accounts via Open Directory or Active Directory plugins, especially outside business hours or on atypical endpoints.
Analyst context for executives and security teams
This analytic focuses on macOS domain logins that use network or mobile accounts through Open Directory or Active Directory plugins, especially when the login occurs outside normal business hours or on an endpoint where that user or account type is unusual. For leaders, the practical value is identity assurance on managed Macs: if domain-authenticated macOS access is not visible, unusual account use may be missed during investigations and access reviews.
Executive priority
Prioritize this as an identity and endpoint visibility question for macOS environments joined to directory services. Security leaders should ask whether SOC and IR teams can prove who logged into which Mac, when, from what account type, and whether the activity was normal for that user and device. This can support incident scoping, insider-risk review, compliance evidence for access monitoring, and resilience of privileged or business-critical workstations.
Technical view
For SOC and detection teams, validate monitoring for macOS domain logins involving network accounts or mobile accounts via Open Directory or Active Directory plugins. Because no official detection logic is provided, the key engineering task is to define local baselines for business hours, expected user-to-endpoint patterns, and normal domain-account usage on macOS. Alerting should focus on deviations such as domain logins at unusual times or on atypical endpoints, with enrichment from asset ownership, user role, and directory account context.
Likely telemetry
- macOS authentication and login events
- Directory service authentication records for Open Directory or Active Directory integrations
- Endpoint identity context showing local, network, or mobile account usage
- Asset inventory linking users to expected macOS endpoints
- Time-of-day and business-hours context for login activity
Detection direction
- Confirm that macOS domain logins are collected and distinguishable from local account logins.
- Validate whether telemetry identifies network accounts and mobile accounts associated with Open Directory or Active Directory plugins.
- Build baselines for normal user-to-endpoint relationships and normal login windows before treating atypical logins as high severity.
- Tune for expected administrative, support, travel, shift-work, and maintenance activity to reduce false positives.
- Use asset criticality and user privilege to prioritize unusual domain logins for investigation.
Mitigation priorities
- Ensure macOS endpoints using directory-backed authentication are included in centralized logging and endpoint monitoring.
- Maintain accurate asset ownership and user-to-device mappings so atypical endpoint access can be identified.
- Review directory account governance for macOS access, including disabled accounts, stale mobile accounts, and privileged users where locally applicable.
- Define approved business-hour and exception patterns for administrative or support logins.
- Use the analytic as evidence input for access monitoring, incident response scoping, and identity control validation rather than as a standalone conclusion.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a technique, and it has no tactics or relationship context. Its value is strongest where an organization uses macOS with Open Directory or Active Directory-backed accounts and needs to identify unusual domain-authenticated access.
The official object provides a short description but no detection logic, data source mapping, related techniques, or relationships. Local macOS logging configuration, directory integration design, business-hour definitions, and user/device baselines are required before this can be operationalized reliably.
Analytic 0592
Domain logins using network accounts or mobile accounts via Open Directory or Active Directory plugins, especially outside business hours or on atypical endpoints.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f33868afed61… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0592Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.