AN0621: Analytic 0621
Processes invoking AVFoundation or CoreAudio frameworks, accessing input devices via TCC logs or Unified Logs, followed by writing AIFF/WAV/MP3 files to disk.
Analyst context for executives and security teams
This analytic matters because it points to a macOS privacy-sensitive behavior: processes using AVFoundation or CoreAudio to access input devices, then writing audio files such as AIFF, WAV, or MP3 to disk. For leaders, the decision value is not that every recording is malicious, but that microphone or audio-capture activity can create privacy, legal, insider-risk, and incident-response concerns if the organization cannot explain which apps are recording and where audio artifacts are stored.
Executive priority
Prioritize this as a macOS visibility and privacy-control validation item. Security leaders should ask whether the organization collects enough endpoint and macOS privacy telemetry to distinguish approved collaboration, media, accessibility, or business applications from unexpected audio capture. It is also useful compliance evidence: teams can show whether they monitor access to protected input devices and whether file creation of recorded audio is reviewable during investigations.
Technical view
For SOC, detection engineering, and IR teams, validate coverage for macOS processes invoking AVFoundation or CoreAudio, evidence of input-device access in TCC logs or Unified Logs, and subsequent creation of AIFF, WAV, or MP3 files. Because the object provides no ATT&CK tactic and no formal detection logic, this should be implemented as a behavior chain rather than a single event: framework use or protected-device access followed by audio-file writes by the same process, user, or time window. Tuning should account for expected audio, conferencing, browser, media, accessibility, and recording applications.
Likely telemetry
- macOS TCC logs showing access to input devices
- macOS Unified Logs related to AVFoundation, CoreAudio, or input-device access
- Endpoint process execution and process metadata on macOS
- File creation or modification telemetry for AIFF, WAV, and MP3 files
- Process-to-file correlation showing the process that wrote recorded audio artifacts
Detection direction
- Correlate input-device access events with nearby creation of AIFF, WAV, or MP3 files by the same process or user context.
- Baseline approved applications that legitimately use AVFoundation or CoreAudio, such as conferencing, browser, media, and recording tools, to reduce false positives.
- Prioritize unusual application paths, unsigned or unexpected binaries, uncommon parent processes, or audio-file writes in unusual directories where telemetry supports those fields.
- Validate whether TCC and Unified Log retention is sufficient for incident timelines; short retention can make this behavior hard to prove after the fact.
- Do not treat framework invocation alone as malicious; the analytic description requires the added context of input-device access and audio file writes.
Mitigation priorities
- Confirm macOS privacy permissions and TCC policy expectations for microphone or input-device access.
- Restrict or review which applications are authorized to access input devices on managed macOS systems.
- Ensure endpoint logging captures process, privacy-access, and file-write evidence needed to investigate this behavior.
- Use application control, device management, and least-privilege practices where appropriate to limit unapproved recording tools.
- Document approved business use cases for audio capture so SOC triage can separate expected activity from suspicious behavior.
Analyst notes and limits
No relationship context was supplied, and the ATT&CK object is a detection analytic rather than a technique. The strongest use is as a validation checklist for macOS telemetry and detection engineering around audio capture behavior. Local baselines are essential because many legitimate applications access CoreAudio or AVFoundation and write audio files.
The official detection field is not provided, tactics are not specified, and no related techniques, groups, software, campaigns, or mitigations were supplied. This take is limited to the official description, macOS platform, external reference, and object metadata. It does not establish malicious intent, active exploitation, attribution, or complete detection coverage.
Analytic 0621
Processes invoking AVFoundation or CoreAudio frameworks, accessing input devices via TCC logs or Unified Logs, followed by writing AIFF/WAV/MP3 files to disk.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 32fd5c505708… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0621Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.