AN0689: Analytic 0689
Processes accessing TCC-protected input APIs or polling HID services without user interaction, or dynamically loaded keylogging frameworks using accessibility privileges
Analyst context for executives and security teams
This analytic points to a macOS privacy and input-monitoring risk: software accessing protected input APIs, polling Human Interface Device services, or loading keylogging-related frameworks through Accessibility privileges. For leaders, the practical issue is whether endpoint and identity teams can distinguish legitimate assistive/management tools from unauthorized capture of user input. That matters because input capture can undermine credentials, sensitive business communications, and incident containment decisions.
Executive priority
Prioritize this as a macOS endpoint visibility and control-validation question rather than a standalone confirmed threat. Security leaders should ask whether TCC and Accessibility permissions are governed, whether exceptions are documented for audit purposes, and whether SOC teams can review unusual input-access behavior quickly during an investigation. This is especially relevant for organizations with privileged macOS users, developers, executives, or administrators whose keystrokes and credentials would carry higher business risk.
Technical view
The supplied ATT&CK object is a detection analytic for macOS. It describes processes accessing TCC-protected input APIs, polling HID services without user interaction, or dynamically loading keylogging frameworks using Accessibility privileges. Because no official detection logic is provided, defenders should validate available endpoint telemetry around process identity, code signing/notarization context where available, TCC/Accessibility permission state, API or framework access events, and HID service interaction patterns. Triage should focus on whether the process is expected, user-approved, and tied to a legitimate accessibility, endpoint management, or remote support use case.
Likely telemetry
- macOS endpoint process execution and parent/child process context
- TCC and Accessibility permission grants or changes
- Events showing access to protected input APIs
- HID service polling or input-monitoring related activity
- Dynamic library or framework load events related to input capture behavior
Detection direction
- Validate whether telemetry exists for TCC-protected input access and Accessibility privilege usage on macOS endpoints.
- Baseline legitimate accessibility, remote support, endpoint management, and productivity tools that may interact with input APIs to reduce false positives.
- Look for processes polling HID services or accessing input APIs without clear user interaction or business justification.
- Correlate suspicious input-access behavior with recent permission changes, new application installation, unusual process paths, or unexpected framework loading.
- Treat unsigned, newly observed, or user-writable-path processes with input access as higher-priority investigation candidates, while confirming with local environment evidence.
Mitigation priorities
- Inventory and govern macOS applications with Accessibility and input-monitoring permissions.
- Require documented business justification and approval for tools that need TCC-protected input access.
- Review endpoint hardening and configuration practices that limit unauthorized permission grants.
- Ensure SOC and incident response playbooks include collection of macOS TCC, process, and application metadata during suspected input-capture investigations.
- Periodically audit exceptions for privileged users and high-risk roles.
Analyst notes and limits
This object is an ATT&CK detection analytic, not a technique description. It is useful for coverage assessment: can the organization see and explain macOS input-access behavior? The relationship context supplied is empty, and tactics are not specified, so the take should be used as a defensive validation prompt rather than as attribution or campaign evidence.
The official detection field is not provided, and no relationships, tactics, procedures, groups, software, or mitigations were supplied. Any production detection must be engineered and tested against local macOS telemetry, approved accessibility tools, and organizational permission-management practices.
Analytic 0689
Processes accessing TCC-protected input APIs or polling HID services without user interaction, or dynamically loaded keylogging frameworks using accessibility privileges
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6f30692b2137… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0689Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.