AN1063: Analytic 1063
Execution of unsigned kernel extensions (KEXTs), tampering with LaunchDaemons, or userspace hooks into system libraries.
Analyst context for executives and security teams
This analytic points to high-risk macOS persistence or system manipulation behaviors: unsigned kernel extensions, tampered LaunchDaemons, and userspace hooks into system libraries. For leaders, the practical issue is whether macOS endpoints are governed and monitored deeply enough to prove that privileged system changes are legitimate, especially where macOS supports executives, developers, administrators, or other sensitive users.
Executive priority
Prioritize this as a macOS endpoint resilience and audit-readiness question: can the organization validate integrity of privileged startup items, kernel-level components, and system-library behavior? The ATT&CK object does not provide tactics or a detection method, so leadership should ask whether existing endpoint controls, SOC telemetry, and incident response playbooks can distinguish approved administrative or software activity from unauthorized system tampering on macOS.
Technical view
For SOC, detection engineering, and IR teams, validate visibility on macOS for three evidence areas named by the analytic: unsigned KEXT execution, LaunchDaemon modification, and userspace hooks into system libraries. Because no official detection logic is supplied, teams should build local validation around authorized baselines, change monitoring, code-signing status, file integrity, and process/module behavior. Tuning should account for legitimate endpoint management, security tooling, developer tools, and software installers that may modify LaunchDaemons or load privileged components.
Likely telemetry
- macOS endpoint security or EDR events for kernel extension loading and code-signing status
- File integrity or configuration change events for LaunchDaemon paths and plist files
- Process execution and parent/child process context around LaunchDaemon creation or modification
- System library load, injection, or hooking-related telemetry where available
- Administrative action logs showing approved software installation or management activity
Detection direction
- Confirm whether macOS telemetry includes kernel extension load events and whether unsigned or untrusted signing states are visible to analysts.
- Baseline approved LaunchDaemons and alert on unauthorized creation, modification, ownership, permission, or persistence-related changes.
- Correlate system-library hook indicators with process lineage, user context, signing status, and known authorized tools to reduce false positives.
- Treat endpoint management, security agents, and developer workflows as key false-positive sources that require allowlisting by evidence, not assumption.
- Because ATT&CK provides no detection text or relationships for this analytic, validate coverage through controlled defensive testing in the local macOS fleet rather than assuming tool coverage.
Mitigation priorities
- Maintain an approved inventory of macOS kernel extensions, privileged agents, LaunchDaemons, and software that legitimately modifies system components.
- Enforce change control and administrative approval for privileged macOS components, especially on high-value or sensitive-user endpoints.
- Use endpoint controls that can evaluate code-signing, file integrity, and privileged persistence changes on macOS.
- Ensure incident response procedures include triage steps for suspicious LaunchDaemon changes, unsigned privileged components, and system-library tampering indicators.
- Preserve audit evidence showing approved baselines, monitoring coverage, and investigation outcomes for macOS system-level changes.
Analyst notes and limits
This is a detection analytic object for macOS only. The official description identifies behaviors but does not specify tactics, detection logic, data sources, mitigations, or related ATT&CK techniques in the supplied context. Defensive value depends heavily on local macOS management practices, endpoint tooling depth, and known-good baselines.
No official detection guidance or relationship context was supplied, so this take cannot assert specific detection coverage, ATT&CK tactic mapping, attacker intent, exploitation activity, or vendor-specific controls. Local telemetry validation is required.
Analytic 1063
Execution of unsigned kernel extensions (KEXTs), tampering with LaunchDaemons, or userspace hooks into system libraries.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c6ba22e4c4f5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1063Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.