AN0707: Analytic 0707
Detect abnormal access to unified logs via log show or fs_usage targeting system log files. Monitor for execution of shell utilities (cat, grep) against /var/log/system.log and for plist modifications enabling verbose logging.
Analyst context for executives and security teams
This analytic matters because macOS system and unified logs can expose operational, security, and user activity details that may be useful during unauthorized discovery or preparation activity. For leaders, the decision value is whether macOS endpoints are logging enough process, file, and configuration-change evidence to distinguish normal administration and troubleshooting from unusual log access or verbose logging changes.
Executive priority
Prioritize this as a macOS endpoint visibility and investigation-readiness question rather than a standalone business-impact claim. Security leaders should ask whether SOC and incident response teams can prove who accessed system logs, which tools were used, and whether logging settings were changed. This supports incident triage, audit evidence, insider-risk review, and endpoint hardening decisions where macOS systems are material to business operations.
Technical view
Validate monitoring for macOS process execution involving log show, fs_usage, and common shell utilities such as cat or grep when used against /var/log/system.log or other system log locations. Also validate visibility into plist modifications that enable verbose logging. Because no ATT&CK tactic or relationship context is supplied, treat this as a behavior-specific detection analytic and correlate locally with user role, host role, interactive session context, administrative maintenance windows, and adjacent endpoint events before escalation.
Likely telemetry
- macOS process execution events, including command line where available
- File access or file read activity for /var/log/system.log and related system log paths
- Execution of log show and fs_usage
- Execution of shell utilities such as cat and grep against system log files
- plist file modification events related to verbose logging configuration
Detection direction
- Baseline legitimate macOS administration, troubleshooting, EDR support, and compliance collection activity that reads system logs.
- Tune for unusual combinations: non-administrative users, unexpected hosts, uncommon parent processes, repeated access, or log access outside maintenance windows.
- Correlate plist changes enabling verbose logging with the responsible process and user; treat configuration changes differently from one-time log reads.
- Expect false positives from system administrators, IT support scripts, endpoint management tools, and diagnostic workflows.
- Confirm whether telemetry includes command-line arguments and file paths; without those fields, this analytic may be difficult to validate reliably.
Mitigation priorities
- Ensure macOS endpoint logging captures process execution, command line, file access, and relevant configuration modification events where policy permits.
- Restrict administrative access to users and tools with a defined operational need to access system logs or modify logging configuration.
- Document approved troubleshooting and endpoint management workflows so SOC teams can suppress known-good activity without hiding suspicious deviations.
- Review permissions and change control for plist files that affect logging verbosity.
- Use incident response playbooks to preserve relevant endpoint telemetry when abnormal log access or logging configuration changes are observed.
Analyst notes and limits
The supplied object is a detection analytic for macOS only. It identifies abnormal access to unified logs through log show or fs_usage, shell utility access to /var/log/system.log, and plist modifications enabling verbose logging. No official detection logic, ATT&CK tactic, technique relationship, malware/tool relationship, or campaign context was supplied, so local baselining is essential.
This take is limited to the provided ATT&CK fields and external reference. It does not establish adversary use, active exploitation, impact, or guaranteed detection. No relationship context was supplied, and the official detection field is not provided, so implementation details must be developed and validated in the local environment.
Analytic 0707
Detect abnormal access to unified logs via log show or fs_usage targeting system log files. Monitor for execution of shell utilities (cat, grep) against /var/log/system.log and for plist modifications enabling verbose logging.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 68037635797b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0707Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.