Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1099: Analytic 1099

Monitor for runtime manipulation by observing changes in application bundles, unexpected signing modifications, and runtime API calls that inject or alter how data is displayed. Detect alterations in CFNetwork or CoreFoundation frameworks responsible for rendering data.

EnterpriseAN1099AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about macOS runtime manipulation that changes how applications or system frameworks display data. For leaders, the business issue is trust: if endpoint software or user-facing application content can be altered at runtime, users and responders may make decisions based on manipulated information. The value of this analytic is to validate whether macOS monitoring can see suspicious application bundle changes, signing changes, and runtime API activity involving CFNetwork or CoreFoundation.

Executive priority

Prioritize this where macOS endpoints support privileged users, developers, executives, or business workflows that rely on trusted application output. The key management question is whether the organization can prove, during an incident or audit, that it monitors integrity-sensitive changes to macOS application bundles and relevant framework activity. Because ATT&CK provides no tactic mapping, detection text, or relationships for this object, use it as a coverage-validation prompt rather than a standalone risk conclusion.

Technical view

For SOC and detection engineering teams, validate telemetry on macOS for application bundle modification, code-signing or signature-state changes, and runtime API activity that may alter rendered data. Pay particular attention to activity associated with CFNetwork and CoreFoundation because the official description identifies those frameworks as relevant to rendering data. Since no official detection logic is supplied, teams should define local baselines for legitimate application updates, developer activity, and signed software changes before alerting on deviations.

Likely telemetry

  • macOS file integrity or endpoint telemetry for application bundle changes
  • Code-signing, notarization, or signature-validation events where available
  • Endpoint detection telemetry for runtime API calls and process behavior
  • Process, module, or framework usage telemetry involving CFNetwork and CoreFoundation
  • Software update and application deployment records to distinguish authorized changes from unexpected ones

Detection direction

  • Validate that macOS endpoint coverage includes application bundle paths and can identify unexpected modifications rather than only process starts.
  • Tune detections against known software update, patching, and developer workflows to reduce false positives from legitimate bundle or signing changes.
  • Correlate signing changes with file modification time, responsible process, user context, and deployment source.
  • Review whether telemetry exposes runtime API behavior involving CFNetwork or CoreFoundation; many environments may not collect this depth by default.
  • Treat this analytic as supporting evidence for investigation, not a complete detection strategy, because ATT&CK did not provide official detection logic or relationship context.

Mitigation priorities

  • Establish and enforce authorized software update and deployment paths for macOS applications.
  • Maintain integrity monitoring for sensitive application bundles where business workflows depend on trusted display of data.
  • Use code-signing and application control governance to make unexpected signing modifications visible and reviewable.
  • Ensure incident response playbooks include collection of modified bundles, signature state, process context, and relevant macOS endpoint telemetry.
  • Document macOS monitoring coverage and gaps as compliance and audit evidence where endpoint integrity is in scope.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for macOS only. It names application bundle changes, signing modifications, runtime API calls, and CFNetwork/CoreFoundation alteration as the relevant observation areas. No tactics, relationships, aliases, labels, or official detection procedure were supplied, so local engineering is required to translate this into concrete queries or rules.

This take is limited to the official STIX fields, external reference, and the absence of relationships provided. It does not establish adversary use, active exploitation, impact, affected products beyond macOS, or guaranteed detectability. Environment-specific telemetry depth will determine whether the analytic is actionable.

Official MITRE ATT&CK definition

Analytic 1099

Monitor for runtime manipulation by observing changes in application bundles, unexpected signing modifications, and runtime API calls that inject or alter how data is displayed. Detect alterations in CFNetwork or CoreFoundation frameworks responsible for rendering data.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
fa1d20d52d156183...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle fa1d20d52d15…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1099
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use