Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0977: Analytic 0977

Detect execution of `/usr/libexec/security_authtrampoline` or use of AuthorizationExecuteWithPrivileges API, and monitor process lineage for unusual launches of GUI apps with escalated privileges.

EnterpriseAN0977AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it focuses on macOS activity where privileged execution may be routed through `/usr/libexec/security_authtrampoline` or the `AuthorizationExecuteWithPrivileges` API. For leaders, the practical question is whether the organization can see when GUI applications or child processes are launched with elevated privileges in ways that do not match normal administrative workflows.

Executive priority

Prioritize this as a macOS endpoint visibility and privileged activity validation item. It supports incident decision-making and audit confidence by testing whether SOC and IR teams can identify unusual privilege-related process lineage on managed Macs, especially where administrator actions, helpdesk tools, or user-launched GUI applications could create noisy but important signals.

Technical view

Validate macOS telemetry for process execution involving `/usr/libexec/security_authtrampoline`, evidence of `AuthorizationExecuteWithPrivileges` usage where available, and parent-child process chains showing GUI applications launched with escalated privileges. Because no ATT&CK tactic or relationship context is supplied, treat this as a detection analytic to test macOS privileged execution visibility rather than as proof of a specific intrusion stage.

Likely telemetry

  • macOS process creation events
  • Process parent-child lineage
  • Command path and executable path telemetry for `/usr/libexec/security_authtrampoline`
  • Endpoint security or EDR events showing elevated process launches
  • Application launch events for GUI apps

Detection direction

  • Confirm whether endpoint tooling records execution of `/usr/libexec/security_authtrampoline` on macOS systems.
  • Baseline legitimate administrative and helpdesk-driven uses to reduce false positives.
  • Review parent and child process lineage for GUI applications launched with elevated privileges, especially unusual parents, users, or execution paths.
  • Tune detections around abnormal combinations of user context, parent process, child application, and privilege elevation rather than path execution alone.
  • Document telemetry gaps where API-level use of `AuthorizationExecuteWithPrivileges` is not directly observable.

Mitigation priorities

  • Ensure macOS endpoints are enrolled in managed endpoint monitoring capable of process lineage collection.
  • Restrict and review local administrator privileges where business operations allow.
  • Standardize approved administrative workflows so unusual elevated GUI launches are easier to identify.
  • Use endpoint hardening and privilege governance processes to limit unnecessary privileged application execution.
  • Include this analytic in macOS detection validation and incident response tabletop scenarios.
Analyst notes and limits

The supplied object is a detection analytic for macOS and provides a concise detection intent but no separate official detection logic, tactics, relationships, procedures, or mitigations. Local baselining is important because privileged administrative workflows may legitimately involve GUI application launches.

Assessment is limited to the supplied ATT&CK analytic fields and external reference. No active exploitation, threat actor usage, specific technique relationship, or guaranteed detection coverage is stated in the source data.

Official MITRE ATT&CK definition

Analytic 0977

Detect execution of `/usr/libexec/security_authtrampoline` or use of AuthorizationExecuteWithPrivileges API, and monitor process lineage for unusual launches of GUI apps with escalated privileges.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
658abd6c1275d6c7...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 658abd6c1275…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0977
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use