AN0669: Analytic 0669
Detection of tampering with Apple's Unified Logging framework or modification of system log forwarding settings. Defender observes execution of logd-related commands or defaults write to logging preferences.
Analyst context for executives and security teams
This analytic matters because macOS logging is a core source of evidence for security monitoring, incident response, and audit reconstruction. Tampering with Apple’s Unified Logging framework or changing system log forwarding settings can reduce visibility at exactly the point defenders need reliable evidence. For leaders, the key issue is not only detecting a single command, but confirming that macOS endpoint and log-forwarding telemetry cannot be silently weakened without alerting and investigation.
Executive priority
Treat this as a visibility-assurance control for macOS environments. Security leaders should ask whether SOC and incident response teams can prove that Unified Logging and log forwarding remain intact across managed Macs, especially for privileged systems and executive, developer, or administrative workstations. This supports resilience, compliance evidence, and incident decision-making because incomplete logs can undermine root-cause analysis and containment confidence.
Technical view
The supplied ATT&CK analytic is macOS-specific and focuses on observing execution of logd-related commands or defaults write activity against logging preferences. SOC and detection engineering teams should validate whether endpoint telemetry captures relevant process execution, command-line arguments, parent process context, user identity, privilege level, and changes to logging or forwarding preferences. Because no tactic, relationship context, or official detection logic is supplied, implementation should be locally tested against authorized administration workflows and expected macOS management tooling.
Likely telemetry
- macOS process execution events
- Command-line arguments for logd-related commands
- Execution of defaults write affecting logging preferences
- User and privilege context for logging configuration changes
- Parent process and initiating application context
Detection direction
- Alert or review unusual logd-related command execution on macOS, especially outside approved administration or endpoint management activity.
- Monitor defaults write activity that modifies logging preferences, with tuning for legitimate configuration profiles, IT scripts, or management agents.
- Correlate local endpoint events with central log ingestion health to identify cases where configuration changes are followed by reduced or missing log flow.
- Prioritize high-value macOS assets where loss of logging would materially affect incident response or audit evidence.
- Document known-good administrative patterns to reduce false positives while preserving visibility into unauthorized or unexpected changes.
Mitigation priorities
- Define approved methods for macOS logging and log-forwarding configuration changes.
- Restrict administrative privileges needed to alter logging behavior where operationally feasible.
- Use managed configuration and change-control processes for logging preferences and forwarding settings.
- Regularly validate that macOS endpoints are producing and forwarding expected logs.
- Include logging-tamper checks in incident response triage for macOS systems when evidence gaps appear.
Analyst notes and limits
This object is a detection analytic, not a full technique description. The practical value is in validating whether macOS logging integrity is monitored and whether changes to Unified Logging or forwarding settings are explainable by authorized administration. With no relationships supplied, the take should be used as visibility and control-validation guidance rather than attribution or campaign context.
ATT&CK provides no official detection logic, no tactic mapping, no related techniques or groups, and no relationship context for this object. Environment-specific baselining is required to distinguish legitimate macOS administration from suspicious logging changes. The supplied platform scope is macOS only.
Analytic 0669
Detection of tampering with Apple's Unified Logging framework or modification of system log forwarding settings. Defender observes execution of logd-related commands or defaults write to logging preferences.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a6ab9ecf7ce6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0669Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.