AN0867: Analytic 0867

This analytic is relevant because unauthorized additions to privileged macOS groups such as admin can quickly turn a normal account into a high-risk identity. For leaders, the practical question is whether the organization can prove who changed local macOS administrative membership, when it happened, and whether the change was expected.

Executive priority

Prioritize this where macOS endpoints are material to business operations or privileged access governance. Coverage supports incident triage, local administrator control, audit evidence, and resilience against account misuse. Because ATT&CK provides no tactic mapping or detection logic for this analytic, leaders should treat it as a validation target: confirm the SOC can observe privileged group changes made with dseditgroup or dscl before relying on this control for compliance or incident response.

Technical view

AN0867 applies to macOS and focuses on detecting use of dseditgroup or dscl to add users to privileged local groups, for example admin. SOC and detection teams should validate process execution visibility for these binaries, command-line argument capture, user context, parent process, and endpoint identity. IR teams should be able to reconstruct the account added, the group modified, the initiating user or process, and whether the change aligns with approved administration.

Likely telemetry

macOS endpoint process execution events for dseditgroup and dscl
Command-line arguments showing user and group modification activity
Endpoint security or EDR events with parent process and user context
Local account and group membership change evidence
Device management or asset inventory records showing expected local administrators

Detection direction

Alert or hunt on dseditgroup or dscl executions that add users to privileged groups such as admin.
Tune against known administrative workflows, MDM activity, help desk scripts, and approved provisioning processes to reduce false positives.
Correlate the process event with the initiating account, host, parent process, and change window.
Validate that command-line logging is complete enough to distinguish group additions from benign directory queries.
Because no official detection logic is provided, test the analytic in local macOS environments before claiming coverage.

Mitigation priorities

Define and enforce approved local administrator membership on macOS systems.
Limit who can modify privileged local groups and require accountable administrative workflows.
Use endpoint management or configuration review to identify drift from expected privileged group membership.
Ensure SOC and IR runbooks include investigation steps for unexpected macOS privileged group additions.
Retain sufficient endpoint telemetry to support audit and incident reconstruction.

Analyst notes and limits

The supplied ATT&CK object is a detection analytic, AN0867, for enterprise ATT&CK on macOS. It has no supplied relationship context, tactic mapping, or official detection logic beyond the description. The business value is strongest for identity governance, endpoint administration control, SOC validation, and incident response evidence around local macOS privilege changes.

This take is limited to the supplied STIX fields and external reference. It does not infer adversary use, active exploitation, specific ATT&CK tactics, or guaranteed detection coverage. Local logging configuration, EDR capability, MDM behavior, and approved admin processes are required to determine whether this analytic is actionable in a given environment.

Official MITRE ATT&CK definition

Analytic 0867

Detects use of `dseditgroup` or `dscl` to add users to privileged macOS groups (e.g., admin).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: ea5e546dd9a46428...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`ea5e546dd9a4…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0867
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams