AN1163: Analytic 1163
Access of mounted cloud shares or document repositories via browser, terminal, or Finder by users not typically interacting with those resources. Includes script-based enumeration or mass download.
Analyst context for executives and security teams
This analytic is about spotting unusual macOS user access to mounted cloud shares or document repositories, especially when access happens through a browser, terminal, or Finder and the user does not normally interact with those resources. For leaders, the value is in validating whether sensitive shared data access is observable and whether the organization can distinguish normal collaboration from possible enumeration or mass download behavior.
Executive priority
Prioritize this where business-critical documents, regulated data, or operational repositories are accessible from macOS endpoints. The key management question is not only whether access is allowed, but whether security teams can prove who accessed shared resources, from where, by what tool, and whether the activity was unusual for that user. This supports incident response decisions, audit evidence, insider-risk review, and cloud/document repository control validation.
Technical view
SOC and detection teams should validate coverage for macOS access to mounted cloud shares and document repositories through browser, terminal, and Finder activity. Because no official detection logic is supplied, detection should focus on behavioral baselining: users accessing repositories they rarely or never use, script-like enumeration patterns, high-volume file listing, or mass download behavior. Tuning should account for legitimate role changes, onboarding, project work, migrations, and administrative activity.
Likely telemetry
- macOS endpoint process execution telemetry for browser, terminal, shell, and Finder-related access patterns
- File system access telemetry for mounted shares and synchronized or mounted document repositories
- Cloud share or document repository audit logs showing user, resource, action, volume, and timestamp
- Identity and authentication logs tying the macOS user/session to repository access
- Browser, proxy, or network logs where repository access occurs through web interfaces
Detection direction
- Build baselines of normal user-to-repository interaction and alert on first-time, rare, or unusual access to sensitive shares.
- Correlate macOS endpoint activity with cloud/document repository audit events to distinguish browser, Finder, and terminal-driven access.
- Look for volume and pattern anomalies consistent with enumeration or mass download, while suppressing known migration, backup, or sanctioned administrative workflows.
- Validate whether terminal or script-driven access is visible; this is a likely blind spot if only browser or cloud-console logs are monitored.
- Tune by user role, department, data sensitivity, and expected project access to reduce false positives from legitimate collaboration changes.
Mitigation priorities
- Confirm least-privilege access to mounted cloud shares and document repositories, especially for sensitive or business-critical data.
- Perform periodic access reviews for users and groups with repository permissions.
- Ensure repository audit logging and macOS endpoint telemetry are retained long enough to support investigations.
- Use data classification and sensitivity-based monitoring to prioritize alerts involving important repositories.
- Define incident response playbooks for unusual repository access, including account validation, access revocation decisions, and evidence preservation.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for macOS focused on anomalous access to mounted cloud shares or document repositories. It has no specified tactics, no official detection logic, and no relationship context, so this take emphasizes practical validation of telemetry, baselining, and access governance rather than asserting a specific adversary technique or detection rule.
No official detection text, tactics, relationships, aliases, or procedure examples were supplied. Local repository architecture, logging availability, user role context, and normal collaboration patterns are required before this can be converted into reliable detection logic.
Analytic 1163
Access of mounted cloud shares or document repositories via browser, terminal, or Finder by users not typically interacting with those resources. Includes script-based enumeration or mass download.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f569618f735e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1163Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.