AN1184: Analytic 1184

This analytic points to macOS activity where an application or process accesses APIs or files that reveal user state or browser artifacts, such as Safari bookmarks or CGEventState. For leaders, the value is not in treating this as automatically malicious, but in confirming whether the organization can see when sensitive local user context is being queried or read on managed Macs. That visibility can matter during incident response, privacy reviews, and endpoint control validation.

Executive priority

Prioritize this as a macOS endpoint visibility and readiness question. Security leaders should ask whether managed detection, EDR, logging, and macOS privacy controls provide usable evidence when applications access browser artifacts or user-state APIs. This can support incident triage, audit evidence around endpoint monitoring, and decisions about which macOS data-access controls require tighter governance.

Technical view

The supplied ATT&CK object is a detection analytic for macOS, but it does not provide a formal detection statement, tactic mapping, or relationship context. SOC and detection engineering teams should therefore treat it as a validation prompt: determine whether telemetry captures process-level API usage or filesystem access involving user-state and browser-artifact locations, including Safari-related artifacts where applicable. IR teams should correlate such access with process identity, code-signing status, parent process, user session, file path, and timing before escalating.

Likely telemetry

macOS endpoint process execution telemetry
Filesystem access events for browser artifact locations such as Safari-related files
Application/API usage telemetry where available for user-state access such as CGEventState
File path, user account, process, parent process, and timestamp metadata
Code-signing, notarization, or application identity metadata from endpoint tooling

Detection direction

Inventory whether current macOS telemetry can show both filesystem reads and relevant API access; many environments may only see process execution, not the specific user-state access described.
Tune detections around unusual or unauthorized processes accessing browser artifacts or user-state APIs, while allowing expected browsers, management tools, accessibility tools, and enterprise software.
Correlate access events with process lineage and application trust signals to reduce false positives.
Because no official detection logic is supplied, validate any rule locally against normal macOS administrative and user workflows before using it for alerting.

Mitigation priorities

Confirm macOS endpoint monitoring coverage for managed systems before relying on this analytic operationally.
Review application permissions and privacy-related controls for software that can access user state or browser data.
Limit unapproved software execution and maintain application inventory so unexpected access to user artifacts can be investigated quickly.
Document what telemetry is retained and searchable to support incident response and compliance evidence.

Analyst notes and limits

This object is best used as a coverage-check item for macOS detections involving user-state APIs and browser artifact access. It is especially relevant to teams responsible for endpoint visibility, managed detection, incident response readiness, and macOS control validation.

The official object provides only a short description, macOS platform scope, and an external reference. It does not include tactics, detection logic, data components, related techniques, threat actors, campaigns, mitigations, or evidence of active use. Local environment baselining is required to decide what is suspicious.

Official MITRE ATT&CK definition

Analytic 1184

API usage or filesystem access revealing user state or browser artifacts (e.g., Safari bookmarks, CGEventState).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: f9fc4c9dede0728d...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`f9fc4c9dede0…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1184
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams