AN1139: Analytic 1139
Detects abnormal or rare logins via local accounts through system or remote mechanisms such as SSH.
Analyst context for executives and security teams
Analytic 1139 matters because unusual macOS logins using local accounts, including through SSH or other system/remote mechanisms, can be an early sign that an account or host trust boundary is being misused. For leaders, the decision value is not the analytic name itself; it is whether the organization can distinguish expected administrator activity from rare or abnormal local-account access before an incident escalates.
Executive priority
Prioritize this as a macOS identity and endpoint visibility question. Security leaders should ask whether local accounts are inventoried, whether SSH and remote login paths are governed, and whether SOC or managed detection teams can explain what is normal for local-account use on macOS. This supports incident readiness, audit evidence for access monitoring, and control prioritization around privileged or unmanaged local accounts.
Technical view
For SOC, detection engineering, and IR teams, validate whether macOS login events can identify local account usage, source context, destination host, remote mechanism such as SSH where available, and historical baselines for rarity. Because ATT&CK provides no official detection logic and no relationship context for this analytic, teams should treat it as a behavior-focused detection requirement: find abnormal or rare local-account logins on macOS and separate expected administrative activity from unusual access patterns.
Likely telemetry
- macOS authentication and login records
- SSH or remote login service logs where enabled
- Endpoint security or EDR authentication telemetry for macOS hosts
- Local account inventory and account metadata
- Host identity, user identity, source address, timestamp, and login mechanism fields
Detection direction
- Baseline local-account logins by macOS host, user, source, time, and remote mechanism to identify rare or abnormal patterns.
- Validate that SSH-based logins are captured when SSH or remote login is enabled.
- Tune for known administrator workflows, maintenance windows, automation, and break-glass accounts to reduce false positives.
- Pay special attention to local accounts that are seldom used, privileged, newly created, or not tied to a documented owner, if that evidence is available locally.
- Confirm coverage on macOS systems outside standard endpoint management, because unmanaged hosts can become blind spots.
Mitigation priorities
- Inventory and govern local accounts on macOS systems, especially privileged and break-glass accounts.
- Restrict and review SSH or remote login exposure where it is not operationally required.
- Enforce least privilege and documented ownership for local accounts.
- Align monitoring requirements with endpoint logging and identity governance processes so authentication evidence is retained and searchable.
- Create incident response triage steps for abnormal local-account login alerts, including validation of legitimate administration versus suspicious access.
Analyst notes and limits
This take is based on ATT&CK analytic AN1139, which is scoped to macOS and describes detection of abnormal or rare logins via local accounts through system or remote mechanisms such as SSH. No tactics, official detection logic, aliases, labels, or relationship context were supplied, so the guidance focuses on practical validation of telemetry, baselining, and control ownership rather than specific rule syntax.
The source object does not provide a detection query, data source list, tactic mapping, related techniques, or examples. Local environment knowledge is required to define rarity, identify approved administrative behavior, and determine which macOS hosts expose SSH or other remote login mechanisms.
Analytic 1139
Detects abnormal or rare logins via local accounts through system or remote mechanisms such as SSH.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6df35213b19e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1139Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.