AN0752: Analytic 0752

AN0752 matters because it focuses on macOS remote access activity: a remote login via ARD or SSH followed by screensharingd activity or modification of TCC-protected files. For leaders, the practical issue is whether remote administration on Macs is governed, observable, and reviewable enough to distinguish approved support from suspicious hands-on-keyboard access.

Executive priority

Treat this analytic as a control-validation prompt for macOS remote access governance. Security leaders should ask whether ARD/SSH use is authorized by business need, whether SOC teams can correlate remote logins to follow-on process and protected-file activity, and whether incident responders have evidence to determine if a remote session changed sensitive macOS privacy-control data.

Technical view

For macOS endpoints, validate correlation between remote login events over ARD or SSH and subsequent screensharingd process activity or modification of TCC-protected files. Because ATT&CK provides no separate detection logic, thresholds, or relationships for this analytic, teams should build environment-specific baselines for legitimate remote support, administration, and management workflows before alerting broadly.

Likely telemetry

macOS authentication and remote login records for ARD and SSH
process activity telemetry showing screensharingd execution or lifecycle events
file modification telemetry for TCC-protected files
endpoint security or EDR events that correlate user, host, process, file, and timestamp
remote administration configuration or service-state evidence for macOS systems

Detection direction

Confirm that macOS logging actually captures ARD/SSH logins and can be tied to the same host and user context as later process or file events.
Tune against known IT support and device-management workflows to reduce false positives from authorized remote administration.
Prioritize cases where remote login is closely followed by screensharingd activity or TCC-protected file modification, since that sequence is the core analytic behavior.
Review blind spots on unmanaged Macs, systems without endpoint telemetry, or environments where TCC-protected file changes are not centrally collected.
Because no ATT&CK relationships or tactics were supplied, avoid over-mapping this analytic to a broader intrusion pattern without local evidence.

Mitigation priorities

Inventory where ARD and SSH are enabled on macOS and confirm each use has an approved administrative purpose.
Restrict remote login capability to authorized users, managed devices, and documented support workflows.
Apply least-privilege administration for accounts allowed to use remote access on macOS.
Protect and monitor changes to TCC-protected files through endpoint controls and change-review processes.
Ensure incident response playbooks include macOS remote-session triage, including user validation, timeline review, process activity, and protected-file change analysis.

Analyst notes and limits

This is a detection analytic object, not a technique object. The supplied ATT&CK content is limited to a short description: remote login via ARD or SSH followed by screensharingd process activity or modification of TCC-protected files. The strongest use is as a validation checklist for macOS telemetry, remote administration policy, and SOC correlation logic.

No official detection text, tactics, relationships, aliases, or labels were supplied. This take does not claim active exploitation, attribution, impact, or guaranteed detection coverage. Local macOS logging configuration, EDR visibility, and approved remote support patterns are required to operationalize the analytic.

Official MITRE ATT&CK definition

Analytic 0752

Remote login via ARD or SSH followed by screensharingd process activity or modification of TCC-protected files.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 3231409872db797e...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`3231409872db…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0752
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams