Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1167: Analytic 1167

Repetitive triggering of GUI or backend application workflows that cause increased CPU/memory usage, logged in unified logs as spin reports or crash dumps.

EnterpriseAN1167AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is relevant to macOS environments where repeated application workflow triggering can drive excessive CPU or memory consumption and leave evidence as spin reports or crash dumps in unified logs. For leaders, the value is not attribution; it is operational visibility into application-level behaviors that may degrade endpoint reliability, disrupt user productivity, or signal abnormal automation against local workflows.

Executive priority

Prioritize this where macOS endpoints support business-critical users, operations, or regulated workflows. Executives should ask whether SOC and endpoint teams can distinguish normal application instability from repeated, suspicious workflow triggering, and whether crash/spin evidence is retained long enough to support incident response, compliance inquiries, and vendor/application remediation decisions.

Technical view

For SOC, detection engineering, and IR teams, validate macOS telemetry around unified logs, spin reports, crash dumps, process identity, parent/child process context, user/session context, and resource usage trends. Because the ATT&CK object provides no official detection logic and no tactic mapping, treat this as a behavior-focused analytic requiring local baselining: repeated workflow-triggered application hangs or crashes should be correlated with process frequency, timing, affected users, and CPU/memory spikes.

Likely telemetry

  • macOS unified logs
  • Spin reports
  • Crash dumps
  • Endpoint process execution metadata
  • CPU and memory utilization metrics

Detection direction

  • Confirm that macOS unified logs, spin reports, and crash dumps are collected, retained, and searchable for managed endpoints.
  • Baseline normal crash and spin-report rates by application, user group, and device role before alerting on repetition.
  • Correlate repeated spin/crash events with CPU and memory spikes to reduce noise from isolated application defects.
  • Tune for high-frequency or clustered events affecting the same application, user, host, or workflow.
  • Review false positives from unstable applications, software updates, plug-ins, accessibility tools, or legitimate automation.

Mitigation priorities

  • Ensure macOS endpoint logging and diagnostic artifact retention meet IR and audit needs.
  • Patch or remediate applications that generate repeated spin reports or crash dumps under normal use.
  • Limit unnecessary automation or background workflow triggers where they create operational instability.
  • Use endpoint management to maintain application version consistency and reduce avoidable crash noise.
  • Define escalation criteria for repeated resource-exhaustion symptoms affecting business-critical users or applications.
Analyst notes and limits

This is a detection analytic object for macOS, not a technique description. Its practical use is as a coverage and telemetry validation prompt: can the organization see repeated application workflow stress through macOS diagnostic evidence, and can analysts separate benign instability from suspicious repetition?

The supplied object has no official detection text, no tactics, no relationships, and no attribution or exploitation context. Any alert thresholds, severity, or response playbooks must be based on local macOS fleet behavior and business criticality.

Official MITRE ATT&CK definition

Analytic 1167

Repetitive triggering of GUI or backend application workflows that cause increased CPU/memory usage, logged in unified logs as spin reports or crash dumps.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
3a4afb8962f68919...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 3a4afb8962f6…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1167
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use