AN0618: Analytic 0618
Detects external volume mount with Finder, Terminal, or script-initiated file copy from user profiles, sensitive folders, or cloud storage sync directories to USB.
Analyst context for executives and security teams
This analytic is about spotting potential data movement from a macOS user’s local, sensitive, or cloud-synced folders onto a USB or other external volume. For leaders, the value is not just “USB monitoring”; it is evidence that the organization can see when business data may be copied out through common user workflows such as Finder, Terminal, or scripts.
Executive priority
Prioritize this where macOS endpoints handle regulated data, sensitive business files, or cloud-synced content. The key management question is whether security teams can prove visibility over removable-media transfers and distinguish legitimate business use from risky or unauthorized copying. This also supports incident response scoping and compliance evidence for data handling controls.
Technical view
For SOC and detection teams, validate that macOS telemetry can correlate an external volume mount with file copy activity from user profiles, sensitive folders, or cloud storage sync directories to that mounted volume. The analytic description explicitly includes Finder, Terminal, and script-initiated copies, so coverage should not depend only on command-line events. No official detection logic or tactics were supplied, so local implementation must define monitored paths, removable volume identification, thresholds, and alert context.
Likely telemetry
- macOS external volume mount and removable media events
- Endpoint file creation, copy, or write events targeting mounted external volumes
- Process execution or parent-process context for Finder, Terminal, and script interpreters
- File path context for user profiles, sensitive folders, and cloud storage sync directories
- Device or volume metadata for USB/external storage
Detection direction
- Validate correlation between volume mount time, source directory, destination external volume, initiating process, user, and host.
- Ensure Finder-based file copies are visible, not only Terminal or script-driven activity.
- Tune for known legitimate workflows such as approved backups, IT support activity, or authorized file transfers.
- Define and maintain the list of sensitive folders and cloud sync directories relevant to the environment.
- Review blind spots where endpoint telemetry does not capture file writes to external volumes or lacks process attribution.
Mitigation priorities
- Establish policy for removable media use on macOS endpoints that handle sensitive data.
- Apply endpoint or data protection controls to restrict, approve, or monitor writes to external volumes where business risk justifies it.
- Reduce unnecessary local storage of sensitive data in user profiles and cloud sync folders.
- Maintain inventory of macOS systems and users permitted to use external storage for business purposes.
- Use incident response procedures that preserve host, user, process, file path, and external volume evidence when this behavior is observed.
Analyst notes and limits
This is a detection analytic object for macOS only. Its practical value is strongest as a validation point for data loss monitoring, insider-risk triage, and IR scoping around removable media transfers. The supplied object provides a behavioral description but no official detection logic, no tactics, and no relationship context.
No official detection field, ATT&CK tactic, related techniques, mitigations, groups, software, or data sources were supplied. Conclusions should therefore be treated as implementation guidance, not evidence of active exploitation, attribution, or existing coverage. Local telemetry and data classification are required to determine priority and alert severity.
Analytic 0618
Detects external volume mount with Finder, Terminal, or script-initiated file copy from user profiles, sensitive folders, or cloud storage sync directories to USB.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0dc973702d40… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0618Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.