Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0870: Analytic 0870

Detection of fake or spoofed macOS Security & Privacy GUIs showing healthy status after XProtect, Gatekeeper, or AV processes are disabled. Correlates user-space UI process creation with terminated or missing security daemons.

EnterpriseAN0870AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it focuses on a macOS deception scenario: a user may see a fake or spoofed Security & Privacy-style interface reporting that protections are healthy while XProtect, Gatekeeper, or antivirus-related processes are disabled, terminated, or missing. For leaders, the risk is not just malware defense failure; it is loss of trust in endpoint status reporting and delayed incident response because users and support teams may believe the device is protected when it is not.

Executive priority

Prioritize this as a macOS endpoint trust and resilience issue. Security leaders should ask whether endpoint protection health is verified from trusted telemetry rather than user-visible UI alone, whether SOC and help desk teams can identify disabled security daemons, and whether incident response playbooks treat suspicious security-status UI as potential evidence of defense evasion. This is relevant to control assurance, audit evidence, and operational readiness for macOS fleets.

Technical view

For SOC, detection engineering, and IR teams, the supplied analytic describes correlating user-space UI process creation with terminated or missing macOS security daemons associated with XProtect, Gatekeeper, or AV processes. Validation should focus on whether endpoint telemetry can show both sides of that correlation: process creation for suspicious or unexpected UI activity and reliable service/process state for macOS security components. Because no ATT&CK tactic, technique relationship, or formal detection logic is supplied, teams should treat this as a detection concept requiring local baselining and environment-specific tuning.

Likely telemetry

  • macOS process creation events for user-space applications and UI-related processes
  • macOS process termination events
  • Security daemon or service health/state telemetry for XProtect, Gatekeeper, and antivirus-related components
  • Endpoint detection and response telemetry from macOS hosts
  • System logs or endpoint management records showing missing, stopped, or disabled security processes

Detection direction

  • Validate that macOS telemetry distinguishes trusted operating system security UI from unexpected or spoofed user-space UI process creation.
  • Correlate suspicious security-status UI activity with security daemon termination, absence, or disabled state rather than alerting on UI process names alone.
  • Baseline legitimate administrative, update, troubleshooting, and security tool workflows to reduce false positives.
  • Confirm whether monitoring continues when endpoint protection components are degraded or stopped; this is a key blind spot for this analytic.
  • Use host, user, time-window, and process lineage context to decide whether the UI event and missing daemon state are related.

Mitigation priorities

  • Ensure macOS security component health is monitored independently of what is displayed to users.
  • Harden and monitor endpoint protection, Gatekeeper, and XProtect-related configurations through managed endpoint controls where applicable.
  • Create incident response procedures for cases where user-visible security status conflicts with backend telemetry.
  • Restrict and audit administrative actions that can stop or disable security daemons.
  • Maintain compliance evidence showing security-control health is measured from reliable endpoint or management-plane data, not only from local UI indicators.
Analyst notes and limits

The object is a detection analytic for macOS only. It provides a clear detection idea—correlating fake or spoofed security UI with missing or terminated security daemons—but does not include a formal analytic query, mapped tactics, mapped techniques, or relationship context. Glexia’s interpretation therefore emphasizes validation questions, telemetry requirements, and control assurance rather than asserting specific adversary behavior or coverage.

Official detection content is not provided, and no relationships are supplied. The ATT&CK object does not specify tactics, techniques, adversaries, software, impact, or active exploitation. Local macOS configuration, endpoint tooling, and logging depth are required to determine whether this analytic can be implemented reliably.

Official MITRE ATT&CK definition

Analytic 0870

Detection of fake or spoofed macOS Security & Privacy GUIs showing healthy status after XProtect, Gatekeeper, or AV processes are disabled. Correlates user-space UI process creation with terminated or missing security daemons.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
2be7a4054ba984eb...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 2be7a4054ba9…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0870
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use